[personal profile] mjg59
There's been a few links to this story of someone buying a system that turned out to have UEFI firmware and also turned out not to boot. Given all the press, it's unsurprising that people would assume that problems they have with UEFI booting are related to Secure Boot, but it's very unlikely that this is the actual problem here. First, nobody's shipping an appropriately signed operating system yet. A hardware vendor that enabled secure boot out of the box would be selling a machine that wouldn't boot any OS you could buy. That's a poor way to make money. Second, the system booted a Fedora 17 CD. Fedora 17 isn't signed, so if the firmware booted it then the firmware isn't enforcing Secure Boot. Third, it didn't boot the installed OS. That's really at the point of it sounding like a hardware problem - selling systems that don't run the OS you sold them with is a guaranteed way of getting enough support calls that you wouldn't make any money on them, ever.

To be fair, Linux compatibility with UEFI systems is still not as good as it is with BIOS systems. Fedora 18 will be using a new UEFI boot process and so far in our testing it's been significantly more reliable than Fedora 17. There's still some remaining issues that we're aware of and working on, but right now it's hugely more likely that failures to boot Fedora 17 on UEFI systems are down to our bugs rather than Secure Boot.

Couldn't Comment, Site's Gone Missing

Date: 2012-08-16 10:32 pm (UTC)
From: (Anonymous)
I tried to say as much in a comment at the site, but that didn't seem to be possible.

Now, I'm getting 404's on both the link to the post and to the site itself.

Re: Couldn't Comment, Site's Gone Missing

Date: 2012-08-17 04:11 pm (UTC)
From: (Anonymous)
I grabbed this from the google cache: http://pastie.org/4538424

Date: 2012-08-18 03:55 am (UTC)
From: (Anonymous)
If the guy feel Secure Boot cause it, he could disable Secure Boot feature.

I am happy about I could install Linux with Secure Boot feature machine.
I didn't see my grub/Linux was compromised. I am a lazy guy, therefore I disable the feature.

I had this problem

Date: 2012-08-20 06:03 pm (UTC)
From: (Anonymous)
It's not exactly secure boot itself - but UEFI Bios's

We have here a Gigabyte (I can get the actual model number if anyone cares) motherboard that you can not boot without a UEFI partition on your drive. And we could not turn this off.

This isn't exactly a Secure Boot issue, but it's close (imho). And I think -like many new things- people have terminology/conceptual problems differentiating them.

Oh, and it took us like 4 hours to figure out how to install Linux with this motherboard because of Ubuntu's installer and confusion as to how the partition table needs to be. The mobo manual, lot's of googling, and reading this blog did not help :(. I'd like to give more info, but I've blocked most of it from my mind because it really, really ... sucked.

Re: I had this problem

Date: 2012-09-25 06:54 pm (UTC)
From: [identity profile] nullnix.myopenid.com
That's not at all a secure boot issue, though. That's just a UEFI system that has dropped the ability to do backwardly-compatible BIOS boots. I'm surprised these sell yet -- I just bought a new desktop, and while it has UEFI-capable firmware and came with a non-activated copy of Windows, it was booting that copy of Windows using the fallback BIOS-mode boot. So if that system had been UEFI-only, it would have shipped with a non-bootable OS.

I can't imagine this is rare, either, so most firmware is probably still capable of booting off a master boot record, and will be for some time.

NIST SP 800-147?

Date: 2012-08-22 06:31 pm (UTC)
From: [identity profile] dwheeler.com
Will this work with the the draft NIST Special Publication 800-147, here?: http://csrc.nist.gov/publications/PubsSPs.html

Look in particular at the draft 800-147B, "BIOS Protection Guidelines for Servers". Once this goes through, most US government computers (and many others) will be required to comply. I *think* it'll be okay, but I'm not sure.

RedHat should produce its own hardware

Date: 2012-08-23 09:30 am (UTC)
From: (Anonymous)
RedHat should dictate terms on how hardware manufactureres should do things and then contract Foxconn to produce hardware based on that for the industry. Manufacturers that refuse to cooperate would be guaranteed a loss of revenue.

Date: 2012-09-06 12:25 pm (UTC)
From: (Anonymous)
I don't know if it was UEFI in Linux or a bug in the latest intel BIOS update on my motherboard but i spend two days to realize (truing to install every possible distro) that i have to downgrade to an old version of the bios to have UEFI running/booting/behaving sanely.

And all those to fix a misrouted interrupt problem that the mobo has and the update was supposed to fix (it didn't and gave me more trouble).

Fun times. (NOT)


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Nebula. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags