“Secure Boot” Strikes

“When I tried to install the operating system of my choice, I found it wasn’t possible because the computer had a Secure Boot loading option. This feature requires that any operating system installed on the computer must be authorized through digital signatures issued by Microsoft. I tried to disable Secure Boot since it prevented the installation of the operating system I wanted, but my attempts to deactivate the feature were unsuccessful.”
 
See In Defense of Free Software: My Case Against Lenovo in Mexico
Remember the fears rampant when “Secure Boot” appeared? M$ could prevent installation of GNU/Linux? Well, we were told that the user/owner of the PC could disable it and normal installation would ensue. Well, there’s a case in Mexico where a model from Lenovo wherein “Secure Boot” could not be disabled….

A court of law ruled that Lenovo had broken the law by not informing the buyer of this problem. Perhaps Lenovo was not even aware of the problem because they offered to disable it and show the consumer but Lenovo could not do it. So far Lenovo has not provided any remedy.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in politics, technology and tagged , , , , , , , , , . Bookmark the permalink.

9 Responses to “Secure Boot” Strikes

  1. John Doe wrote, “From now on, everyone must pay ransom to keep using it.
    Windows 10 is the biggest ransomware ever!”

    If M$ had put the creativity it puts into scamming the world/markets into producing great software, I probably never would have needed GNU/Linux to run my classroom so long ago. Instead they shipped Lose ’95 complete with integrated browser, ~50K bugs and zero security. The build we had on five PCs could not run a day without crashing, so every class was disrupted. It just was not useful with me juggling a multi-grade multi-level classroom of teenagers. With GNU/Linux those PCs gave great service for months and students rarely got off track. Since then I read US DOJ v M$ and learned what evil lurks at M$. It’s just dealing with the Devil to do any business with them. Ask yourself why Bill doesn’t leave M$. He doesn’t need the money. He’s old enough to retire to some pet foundation or gardening, yet he persists in being on the board. He’s the Devil that made it run. He’s the guy that made all the top-down decisions to mess with competition. He’s the one that decided it would be a good idea to enslave the world and he almost succeeded. He’s sticking around to try to achieve his dream of world domination one way or another.

  2. John Doe says:

    One thing no one is talking about is that windows 10 changed to SaaS: Shitware as a Service.
    That is why M$ is pushing it onto everyone.
    From now on, everyone must pay ransom to keep using it.
    Windows 10 is the biggest ransomware ever!
    And cattle keep peacefully going to the slaughterhouse…

  3. AdmFubar says:

    lets not forget that uefi had a kill switch in it..

  4. oiaohm says:

    I understand the need for secure boot (hint: prevent bootloader-loaded activation-killers like c-crack) but I think it should always be disable-able.
    This is where secure boot becomes a super laugh.
    https://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/#sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Protect_you_from

    Secure boot is to prevent your system loading bootloaders it is does not have a KEK to accept. Now on UEFI implementations where you can change the platform keys you are more than free to change what the firmware will accept. Shim loaders that you see Linux distributions using that are signed by microsoft then chain load their own is officially acceptable by UEFI standard.

    But, doesn’t that circumvent much of the so-called “security” that so-called “Secure Boot” is supposed to provide? Isn’t “Secure Boot” supposed to prevent you from running any unsigned operating system modules?
    luvr the strict answer is that is not in fact what Secure Boot is designed todo. Secure Boot is only designed to validate the bootloader. If you want a full secure OS after the secureboot loader is loaded it then its responsibility to validate everything to load the kernel then its the kernel responsibility to validate everything after that.

    As you can now see that is a long chain with any flaw in the chain and the idea that it secure can vaporise.

    The other interesting point about secure boot is remove the platform key and a UEFI system is meant to stop validating bootloaders at all and run anything yes has to display a warning notice on boot.

    dougman age of firmware on a Lenovo Yoga 2 is a issue.

    Newer Lenovo Yoga 2 firmwares don’t have a disable secureboot option instead it a clear Platform Key named ‘Reset to Setup Mode’.
    http://superuser.com/questions/863164/what-does-clear-pk-do
    Setup Mode defined in UEFI is run any bootloader signed or not. As this is the mode for people to custom set their Platform key and KEKs and in the process you might need to run your OS that firmware does not know to generate the new Platform Key and KEKs .

    Of course the Lenovo support personal as this legal case is doing do need to be pulled over the coals. But this is not a new problem. Installing Linux on machines for a long time vendors have attempted to void warranty.

    Mostly this case is about poor documentation and poor firmware option descriptions and poor technically support. Resulting in user incorrectly trapped it will be interesting if a company can be found liable for this.

    Lenovo Yoga 2 is at the transition from firmware having disable secureboot option to either ‘clear PK’ or ‘delete PK’ or ‘Reset to Setup Mode’ configuration. Issue why the change is a security flaw. Turned out disable secureboot flag was stored in areas writeable when the OS was running where the PK is stored in areas once boot loader is activated can be read only.

  5. dougman says:

    “In November 2014, I bought the Lenovo Yoga 2″…the article was written in 2016, so I guess he bought another laptop and spent two-years complaining about the other one?

    I would have returned it and got another one.

    In fact, I have seen Linux on that model laptop a few times. The local LUG user have a few, so I do not know this persons entire story. Maybe the version of Linux he wanted is really…really old.

    https://forums.linuxmint.com/viewtopic.php?t=207377

  6. luvr says:

    “I understand the need for secure boot”

    Sorry, but I don’t. I have never used it, and I have never missed it.

    “you can get a signed Linux bootloader and then boot anything you want.”

    But, doesn’t that circumvent much of the so-called “security” that so-called “Secure Boot” is supposed to provide? Isn’t “Secure Boot” supposed to prevent you from running any unsigned operating system modules? Thus, if you are going to circumvent much of its so-called “security” anyway, then why bother with so-called “Secure Boot” in the first place?

  7. kurkosdr wrote, “much smaller issue than you make it out to be, because you can get a signed Linux bootloader and then boot anything you want.”

    Yes. Several problems with that. It complicates installation, another barrier to adoption of GNU/Linux, particularly by newbies. For instance, I have never installed on UEFI hardware. It’s also a dependency on M$, something we are trying to avoid. Why should M$ have any say at all on what software I choose to install? Further, if I can get a signed bootloader, why can’t a bad guy? Hence this is not about security but barring competition. No, thanks.

  8. kurkosdr says:

    And Microsoft keeps trying to make themselves unlikeable.

    I understand the need for secure boot (hint: prevent bootloader-loaded activation-killers like c-crack) but I think it should always be disable-able.

    But still, much smaller issue than you make it out to be, because you can get a signed Linux bootloader and then boot anything you want.

  9. John Doe says:

    M$’s secure butt?!
    🙂

Leave a Reply

Your email address will not be published. Required fields are marked *