I installed linux but it wouldn't boot. Major bummer.
It wasn't clear that UEFI signing was at fault, but there was no other reason for it to refuse to boot the image. The install went fine right through the reboot. I re-installed linux trying several different things, all unsuccessfully. I also booted a "rescue" image and verified the install looked valid.
There was no way to turn off UEFI signing in the BIOS menus.
I went to the manufacturer's web site and found they had a "Linux BIOS" image. http://support.gateway.com/us/en/emac/product/default.aspx?t... I was able to reflash the BIOS with the P01.C1L image, but I had to force it by looking at their "flash.bat" file adding a /X flag to the flash command in there.
With the "linux" BIOS image, the board booted linux just fine. Huh.
* UEFI is a real risk. Most mainstream PCs nowadays boot linux out of the box. I lived through the times when I bought a new PC "at risk" because it might have chips that were not supported by linux. UEFI brings that risk back, but through software, not hardware. Sucks!
* The hardware manufactures apparently are getting the "it must run linux" message, even for low end throw-away machines. Yeah!
* Reflashing BIOSes, especially when the user has to manually override "self protection" aborts, is not something an unsophisticated user is going to be able to do. Sucks.
The BIOS flashing does add an extra risk factor though, prepare for many "Linux fucked my PC!" rants from users who screwed up the flashing process.
I took a look at the site, and it doesn't appear to have any information about that. Are you aware of some functionality that isn't listed on the site?
For what it's worth, UNetbootin is a really nice way to create liveUSB drives that you can use to install Linux/BSD.
I was really more interested in netboot installs, where the machine downloads a boot image (via TFTP generally) and does the install from there.
In fact, no hard drive is needed in the machine if you want to just boot an image from a network share.
Apple uses a technology like this to reimage boot drives:
This is how it works in Ubuntu:
Not that I don't agree that there's a potentially dangerous precedent here, but this is omitting a key detail. For x86 computers, MS's certification requires that users can disable secure boot. Of course, this is not true for ARM computers, hence the dangerous precedent.
It just shows how the terminology is changed to have a higher impact for an argument.
iOS is a lost cause, most likely, since it won't even let users run whatever they want.
Motorola have merely promised, my Milestone is exactly as locked as it was before that blog post.
Hopefully things will improve, but I'm not holding my breath. Next phone is a Google device.
Except the expectations of the consumer, which was, you know, the whole point of my post. The touch interface has literally nothing to do with it.
To be totally clear, I agree that Android doesn't carry the same caveats as iOS and Windows RT, but in the eyes of the consumer, Windows and Android mean very different things.
"Secure boot" creates barriers to entry for operating system innovators. I don't see how this isn't an abuse of monopoly power to tighten the screws on a market threatened by disruptive competition; if antitrust laws can't help us here, I don't know why we even bother to have them.
Does anyone know the process in the USA for lodging antitrust complaints with the government?
Double standard. It seems people are willing to let it slide with Apple but not with Microsoft. Even Mozilla came out decrying Microsoft's policy of not allowing third party browsers but never said a peep about iOS. There's no use throwing a fit just because Microsoft is doing it when you let the actual tablet monopoly get away with it for so long.
On top of that, they have the option of piggybacking on Microsoft's certificate. Microsoft will even subsidize the cost of getting a certificate from Verisign to allow that.
Finally, Microsoft is using their market power to force OEMs of x86 computers to include a way for users to disable Secure Boot and to add new certificates.
Actually, this isn't quite true. It turns out that the Secure Boot specification only allows for a single valid certificate in certain places.
"...the UEFI specification
only allows an image to be signed by a single key" - https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035...
For a lot of users, merely having the option of signing their images simply won't be good enough. Unless the signing keys are available to everyone, you cannot boot a self-compiled kernel on a secure boot system.
If they aren't frequently switching back and forth between Windows and Linux, what's wrong with going into the firmware settings and turning off Secure Boot so that they can run whatever Linux they want with no restrictions?
I thought that the windows 8 certification for x86 required that users should be able to disable secure boot.
There can't be any universe in which that isn't a shortsighted and downright ludicrous move.
If anything we should be happy for the manufacturers that does that, it means we'd never have to consider them again.
Or a certification standard that mandated that vendors do something, but was highly nonspecific as to exactly how they were to do it.
This would never be a problem without both fraudulent manufacturers and an unclear certification standard.
To be honest, I'm very excited for Secure Boot. It, combined with TPMs and disk encryption, will finally allow desktop computers to be a truly secure platform (barring opening up the ICs on the motherboard, anyway).
Here's Fedora's response (Matthew Garret mjg59):
"We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs."
As far as I can see all pc manufacturers would need to do is verify the certificate of each os on an os selection screen and display the result to the user
>A number of Intel processors since the introduction of the Nehalem microarchitecture (that is, a number of CPU branded Core i5, Core i7, or later) support VT-d, an IOMMU implementation. This allows the operating system (OS) to isolate a device in its own virtual memory address space (in a manner analogous to the isolation of processes from one another using the MMU). Devices could thus be prevented from having access to unauthorized parts of the memory space. However, this feature isn't generally used other than for its initial purpose of giving guest virtual machines passthrough access to specific host hardware.
So.. maybe? Resolving that 'citation needed' would be nice.
Yes it's a dream, but maybe one day... maybe one day...
And if this Microsoft key were to be found being used as part of an exploit, ala the previous Microsoft cert being used to sign Stuxnet?
Not that I am encouraging any specific behavior...
Am I missing something here, as I post this from Debian running on my work iMac? All I had to do was install rEFIt ( http://refit.sourceforge.net/ ), install Debian, and let rEFIt detect it (I forget if it involved manual configuration, been a while.)
I think this is much ado about nothing, especially given that Microsoft seems to be insisting that manufacturers leave in the option to turn off secure boot. I also thought Linux had the capability to boot off of UEFI; is this not true?
This means that whilst you may be able to run big "brand name" distributions like Ubuntu or RedHat on a secure boot PC more obscure distros might simply not work at all (unless you turn secure boot off).
Also, the other distributions could simply use Ubuntu's signed bootloader (So could rootkits).
edit (lol, microsofties down voting this comment)
"Microsoft Files Motion in Apple v. Samsung to Hide Patent License Agreement Terms ~pj"
As explained in the accompanying declaration of Tanya Moore, Microsoft's General Manager of Outbound Licensing, Exhibits 3A and 3B to the Teece Report contain sensitive confidential and proprietary business information from the Confidential Agreement between Microsoft and Samsung. The Teece Report summarizes sensitive portions of the Confidential Agreement, including the licensed technology, term of the license, royalty rates, and payment information, among other things. (Moore Decl. at ¶¶ 3-4).
On a related note, why don't Canonical start selling their own hardware? Most laptops are pretty crappy, I'm sure they could do better and having official support would be great.
But many new Linux users start by installing Linux on a PC bought with Windows, so we definitely want to make that as easy as possible.
It would make more sense to have Linux as the base, and windows in a VM.
I'm not saying it's a bad option, but it does have downsides.
I'd like to not pay Microsoft just so I can use Linux.