
Shimming your way to Linux on Windows 8 PCs - CrankyBear
http://www.zdnet.com/shimming-your-way-to-linux-on-windows-8-pcs-7000008246/
======
mtgx
I can only hope this UEFI issue backfires against Windows, in favor of Linux.
For example manufacturers could be forced to create "Linux machines" that sell
separately from the Windows ones, and even promote them with a message like
"You can use Linux, or you can install Windows on your machine later, if you
want, while you can't install Linux on a Windows 8 machine." They might have
to do this anyway if Windows 8 doesn't take off, and Microsoft even starts
charging them more for it.

That would be similar to Apple's message that you can install Windows on their
hardware, but you can't install Mac OS X on other hardware, so then why not
buy a Mac and get the best of both worlds?

~~~
dsr_
Mnyeh. I would prefer a hardware switch, preferably located on the case.
"Boot: LOCK | UNLOCK". Then you never have to curse someone for buying the
wrong system.

~~~
JoshTriplett
ChromeOS devices have a hardware "developer mode" switch serving the same
purpose; I'd love to see the same switch controlling Secure Boot and related
technologies on a UEFI system.

------
w1ntermute
On my X1 Carbon, I had to go into the BIOS and disable "secure boot" in order
to even boot from a Linux Live USB drive. That would already deter a good
number of people from even trying. I hope things don't get any worse.

~~~
marshray
How did you get Linux on a USB drive? That in itself is a PITA and an obstacle
for me.

Personally, I think having to specifically enable boot-from-USB in the BIOS is
a very valuable security measure. However, I do support the ability of
everyone to control their own PC.

~~~
w1ntermute
It's not hard at all. In Ubuntu you can set up a live USB using the Ubuntu
Live USB creator[0]. More directions in the Ubuntu docs[1]. On Windows,
there's the LinuxLive USB Creator[2].

0: <https://launchpad.net/usb-creator>

1: <https://help.ubuntu.com/community/Installation/FromUSBStick>

2: <http://www.linuxliveusb.com/>

~~~
marshray
Yes, I know I can do it since I've done it before.

I'm just saying I find it much more involved than changing a simple BIOS
setting.

------
politician
The way I did it on my new laptop was to disable "secure boot", wipe the hard
drive, and install Ubuntu from a live USB. It runs like a champ.

It was a fairly straightforward process except for determining the BIOS hotkey
as this system hides the hotkey when secure boot is on, but shows it during
boot when it's off. I had to call the OEM to figure it out -- it wasn't in the
manual, the support site, or elsewhere on the internet.

~~~
gnosis
_"The way I did it on my new laptop was to disable "secure boot", wipe the
hard drive, and install Ubuntu from a live USB."_

Would doing this void your laptop's warranty?

~~~
nickzoic
I do this all the time to laptops ... boot Windows once to go through the
whole "create backup DVDs" procedure, then put the DVDs away somewhere safe
and wipe the machine. If you ever have to claim warranty, back up your Linux
files, securely wipe the HDD, then restore from the backup DVDs and send the
newly restored machine back.

This is also good security policy ...

~~~
w1ntermute
I tried to back up the Windows 8 install on my X1 Carbon before wiping it, but
it was too difficult without an optical disc drive, so I just gave up. Perhaps
it depends on the OEM, but I don't believe Lenovo cares what software is on
the device.

------
gnosis
According to the article, _"it does have one disadvantage though for some
Linux distributors. Since the shim is a pre-compiled binary, distributions
such as Debian, which insist on having full source code availability, may
choose not to use it."_

Does anyone know why the source is not available?

Is there a chance that an open-source alternative will become available in the
future?

~~~
randallu
Source: <https://github.com/mjg59/shim>

The issue is getting binaries you build signed, I guess (i.e.: Debian can't
build Shim and get a signed binary at the end, so having source isn't
important to them; however if you want to contribute fixes, etc, then
presumably you can develop on a machine with your own certificate installed
and then RedHat can pay to get a new Shim build signed by Microsoft).

~~~
gnosis
_"The issue is getting binaries you build signed"_

How is the shim binary signed?

 _"Debian can't build Shim and get a signed binary at the end"_

Why can the shim's author sign his own binary, but Debian can't sign theirs?

~~~
mjg59
"How is the shim binary signed?"

I paid Symantec $99, sent them a notarised copy of my ID, created a Microsoft
sysdev account, uploaded the binary to Microsoft, waited a couple of days and
got a signed one back.

"Why can the shim's author sign his own binary, but Debian can't sign theirs?"

Debian could do the same, but could all their users? Will Microsoft sign
binaries for someone in Syria? That kind of thing is important to Debian, and
it's one of the things that distinguishes them from the vast majority of other
Linux distributions.

~~~
gnosis
Why does Microsoft have to be involved in the signing process? After all,
you're not buying the computer from them.

Can't there be some sort of independent signing authority? In fact, why
couldn't the user just sign and install his own code without involving any
third party at all?

This whole "secure boot" system seems really poorly conceived, unless its
purpose is to take power away from the user who owns the computer and give it
to a central authority.

~~~
mjg59
There could be an independent signing authority providing that (a) they could
provide some incentive to all hardware vendors to ship their keys and (b)
there was someone actually competent and willing to be that independent
signing authority. For Microsoft, this is just an extension of the Windows
driver signing program - they already had most of the infrastructure in place,
so there was little additional expense involved in handling Secure Boot as
well. And Microsoft certainly have the means to "encourage" vendors to ship
with their keys, since they can withhold the Windows logo program funding from
vendors otherwise.

~~~
yuhong
I suggested on twitter to just transfer Microsoft's keys if possible.

~~~
mjg59
There's still the cost of managing it (you're looking at $millions) - it's
something that various parties have looked into, and then decided against.
It's also unclear that having a third-party holder would _actually_ be any
better. So far Microsoft have behaved far more reasonably than you might
expect, and what problems there have been can be chalked up to large company
rather than malice. I understand why people don't want to trust Microsoft, but
I don't currently see any evidence that they're misusing their powers here.

------
ilaksh
They call it 'secure' boot but it sounds like, practically speaking, this is a
misrepresentation.

The way that they have set this up seems to be obviously designed for the main
purpose of literally locking Linux out of the hardware.

So I expect to hear about an anti-trust law suit against Microsoft (and
possibly a number of hardware manufacturers).

------
brudgers
For many purposes, using Hyper-V which is included in Windows 8 Pro, would be
adequate.

Purchasing a non-logo system is another alternative alternative for use cases
where virtualization offers inadequate performance. There are plenty of
compatible machines in the logistical pipeline.

The issue which this article asserts effects a small number of use cases
currently - persons purchasing new consumer oriented PC who want to run Linux.

~~~
rjbond3rd
> The issue... effects a small number of use cases currently...

With potentially large ripple effects. Old Windows boxes getting lightweight
Linux distros provide a lot of machines for students, schools, people without
cash, giveaway machines for friends, elderly relatives in need, etc.

Making that process harder (e.g., shim required) probably means more machines
will just go to the trash (unless the shim is widely incorporated in
lightweight distros maybe). What a waste (at the very least, of time).

------
antihero
Can't secure boot be disabled in the bios?

