Re: BIOS setup save the day!

Date: 2011-09-21 05:42 pm (UTC)
From: (Anonymous)
Having to disable a scary BIOS option that says "Don't disable this for security reasons." in the on-screen help, is likely to dissuade many users from trying out Linux via a LiveCD. The failed Windows 8 boot when they stop trying out the LiveCD and reboot without resetting the flag may also persuade them that Linux broke their computer.

Assuming the BIOS permits the option - as mentioned elsewhere, remove the feature, and that's one less thing you have to debug on your budget PC, one less thing you have to provide support for - there will be a whole new class of boot failures when Windows 8 users flip the option for whatever reason.

Even those of us who are tech-savvy are going to get *really* annoyed flipping the state every time they switch OS. I do as much work as possible in Linux but alas, my employer requires that I boot Windows fairly regularly, just to get a DHCP lease for my hardware. I also like to play games, and faffing about with Wine is not what I would call conducive to leisure. New games will probably start requiring secure boot anyway so you can't cheat.

The shame of it is, the feature has a legitimate use, and is probably a good thing for Windows users, who let's face it, need more security.

The only acceptable implementation would be one which permitted you to add keys to the keystore at boot time, in the BIOS setup, via entry of a checksum-verified key block. Then you don't need to buy a "blessed" proprietary OS just to add keys. Alas, this would be an even more serious deterrent to any casual use of Linux on a given piece of hardware.

So all in all, I wouldn't prohibit this feature - that would seem to be against the Free Software ethos, after all. And it's going to be good for Windows users. But I would mandate that any implementation also provides...

  • Ability to add signing keys to the keystore via BIOS setup

    • Although it's obviously better to get an OSS friendly key in there from the get-go, so the common distros can get their bootloaders signed.

  • The ability to disable secure boot with one key at boot time

    • Perhaps with the ability to choose to boot a given volume in non-secure mode, from the usual BIOS boot
      choice menu.

    Identity URL: 
    Account name:
    If you don't have an account you can create one now.
    HTML doesn't work in the subject.


    If you are unable to use this captcha for any reason, please contact us by email at

    Notice: This account is set to log the IP addresses of everyone who comments.
    Links will be displayed as unclickable URLs to help prevent spam.


    Matthew Garrett

    About Matthew

    Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

    Expand Cut Tags

    No cut tags