[personal profile] mjg59
Since there are probably going to be some questions about this in the near future:

The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.

There is no centralised signing authority for these UEFI keys. If a vendor key is installed on a machine, the only way to get code signed with that key is to get the vendor to perform the signing. A machine may have several keys installed, but if you are unable to get any of them to sign your binary then it won't be installable.

This impacts both software and hardware vendors. An OS vendor cannot boot their software on a system unless it's signed with a key that's included in the system firmware. A hardware vendor cannot run their hardware inside the EFI environment unless their drivers are signed with a key that's included in the system firmware. If you install a new graphics card that either has unsigned drivers, or drivers that are signed with a key that's not in your system firmware, you'll get no graphics support in the firmware.

Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled. The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or alternatively for each OEM to include their own key and sign the pre-installed versions of Windows. The second approach would make it impossible to run boxed copies of Windows on Windows logo hardware, and also impossible to install new versions of Windows unless your OEM provided a new signed copy. The former seems more likely.

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.

Now, obviously, we could provide signed versions of Linux. This poses several problems. Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by ever OEM.

There's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't.

It's probably not worth panicking yet. But it is worth being concerned.

Buy Linux Machines

Date: 2011-09-20 09:41 pm (UTC)
From: (Anonymous)
All the more reason to stop buying Windows machines to load Linux onto them. Buy Linux machines from Linux hardware vendors.

Re: Buy Linux Machines

Date: 2011-09-20 11:22 pm (UTC)
From: (Anonymous)
We should make a list of Linux hardware vendors.

Re: Buy Linux Machines

Date: 2011-09-21 02:09 am (UTC)
From: (Anonymous)
We have this in France:
- list of the good/bad hardware makers:
- list of the good/bad hardware vendors:

Note that "good" and "bad" are defined on a few criteria like:
- do they make the pre-installed software optional?
- do they provide various options for pre-installed software?
- is the cost of pre-installed software displayed when buying the machine?

Hope that helps.

Re: Buy Linux Machines

Date: 2012-02-16 02:35 pm (UTC)
From: (Anonymous)

The LXer.com pre-installed Linux hardware vendor database.

I've personally had excellent luck buying "generic" hardware, such as white-box systems and motherboards. All have run Linux perfectly since I first started using it.

One caveat, I have not had a system yet that has this "secure boot" option, so I cannot say that it will be something that can be turned off. Turning it off would be best, because having such a system makes the use of Linux live CDs and DVDs impossible, thus creating a situation where a system cannot be rescued.

Re: Buy Linux Machines

Date: 2011-09-21 01:23 pm (UTC)
From: (Anonymous)
That works if you're in the habit of buying new machines to start with. Many people, myself included, recycle older hardware for most of our needs. My current desktop is an off lease corporate developer workstation that I picked up for a fraction of what a new box would have cost. One of the nice things about Linux is that it will run quite nicely on hardware that Microsoft deems obsolete. UTFI would appear to give them a way to enforce their view.
From: [identity profile] http://identi.ca/rozzin
While I like the idea of just buying hardware from the friendly vendors like ZaReason, System76, ThinkPenguin, et al...., it may actually be more productive to buy Windows laptops and then return them if/when you find that they don't meet your requirements--because processing returns actually costs the vendor something.

The idea of behaving like this makes me uncomfortable, but it seems economically sound: this is the way that customers actually communicate with the vendors, and ultimately with the manufacturers.
From: (Anonymous)
"... it may actually be more productive to buy Windows laptops and then return them if/when you find that they don't meet your requirements--because processing returns actually costs the vendor something."

Most OEM's already charge you a re-stocking fee if you return a computer.
From: (Anonymous)
Make it clear in the order that you expect linux support, if it arrives without it, it's false advertising. A good credit card will void the restock fee AND yell at the seller for it.
From: [identity profile] http://identi.ca/rozzin
"Most OEM's already charge you a re-stocking fee if you return a computer."

It looks like some big vendors, like Best Buy, don't. Coincidentally, these big vendors are also the ones with the most power to affect manufacturers.

I don't know whether Best Buy eats the cost of returns, or if they use whatever clout they have to make the OEMs eat the cost. It probably doesn't matter though, does it? If Best Buy bears the cost of a certain brand being returned more often, then Best Buy has an incentive to replace that brand with one with a better return-rate--and the OEM has an incentive to fix their problems so that Best Buy doesn't stop stocking/selling them. If Best Buy gets the OEMs to eat the cost of returns, then the OEMs have a more direct incentive to figure out how to reduce their return-rates. Best Buy apparently gathers data on why people return things, also.

So..., other reasons why return-rates shouldn't be expected to influence the market?

Re: Buy Linux Machines

Date: 2011-09-21 04:22 pm (UTC)
From: (Anonymous)
Only problem: Lack of choice in system features. I have several tablet computers (x86 class). If the one I want is hardware locked like this,... I'm stuck with one I don't want. I currently have a Dell Inspiron Duo as my primary day-in/day-out Linux portable. But a Win8 machine like that will likely be locked out. M$ wants to lock Linux out of the form factors that it is most threatened by; Mobile/Tablet.

The ONLY real option for making the vendors knuckle under is to order their (expensive) machines and return them with RMA #s if the vendor did the lock-out trick (you KNOW they won't disclose when they are locking machines out). They'll be stuck off-loading them at factory refurb prices, and at a loss... Hit 'em in the pocketbook... That'll fix 'em good.

Re: Buy Linux Machines

Date: 2011-09-22 02:01 am (UTC)
From: [identity profile] gonzalo-vc.myopenid.com
That's a very good idea.
Second only to buying a no-pre-installed-system-machine and install GNU/Linux for free!


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags