Does anybody know if anybody is working on the UEFI Linux lockout problem? Has anybody solved the problem?
Announcement
Collapse
No announcement yet.
Will UEFI lock out Kubuntu
Collapse
This topic is closed.
X
X
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
Short answer: no.
Slightly less short answer: yes on ARM processors, no on X86 processors.
Actual answer: hard to find. This one of those topics where there's more speculation than fact. If you search our forum here, you'll find a number of my own posts where I document what I've learned about UEFI. And I highly recommend that you check Michael Garrett's blog -- search for and absorb all that he's written about the topic. He truly gets it.
- Top
- Bottom
-
- Top
- Bottom
Comment
-
I was not able to view the video. It kept crashing. But my concern is not so much UEFI. I was able to get past that. My concern is the lockout feature, TPM or PKI. As I understand it, Windows 8 requires it and it locks out all other operating systems. Here's couple of links:
http://www.networkworld.com/communit...r-lock-linux-w
https://groups.google.com/forum/#!to...ug/req7jH6aAkQ
- Top
- Bottom
Comment
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9524
- Seattle, WA, USA
- Send PM
One of the challenges UEFI presents is completely unrelated to technology: keeping up with the policy changes can almost feel like a part-time job. Your question includes mention of two separate technologies and also references some by-now outdated articles, so let me catch you up.
On all machines regardless of processor, UEFI supports a mechanism called secure boot. By matching a digital signature stored in the UEFI to keys used to sign the boot loader, the kernel, and all kernel-mode drivers, the firmware can validate the integrity of the pre-OS boot environment. The intention is to block the ability for malware to hijack the boot process and load an untrusted kernel. While the threat of that is certainly non-zero, I would argue that the threat is minor for the average home and corporate desktop user.
UEFI is a programmatic interface that offers much flexibility. This means that the capability exists to disable secure boot. And here's where the fears of vendor manipulation and lockin enter.
Manufacturers of machines with Intel and AMD processors must enable secure boot if they wish to emblazen their hardware with the Windows 8 certification logo. Microsoft has stated that such hardware should offer the ability to disable secure boot if the consumer wishes. However, the UEFI specification does not mandate that every bit of configurable functionality be exposed. Some vendors might choose to remove the ability to disable secure boot on their certified hardware, out of fear that they might be accused of being insecure or some other such silly nonsense. Manufacturers are also free to completely ignore Microsoft and ship their gear with secure boot disabled; such gear will never receive the blessing of Microsoft, however. This places the manufacturer in a conundrum. Imagine that J. Random PCbuyer is considering two systems at BestWallBuyMart. These systems are equivalently configured and equivalently priced. One has that shiny Windows 8 logo. The other doesn't. Which system will J. Random PCbuyer purchase? The answer is obvious.
Manufacturers of machines with ARM processors are more severely restricted. To receive Windows 8 certification, Microsoft requires manufacturers to enable secure boot and to prevent consumers from disabling this. In theory, technically adept users could replace the default ARM UEFI with a less-restrictive one; in such cases, Microsoft makes no guarantees that Windows will continue to operate properly.
You also mentioned TPM/PKI. A Trusted Platform Module (TPM) is a hardware mechanism that:
* measures and reports the behavior all elements of the boot environment
* stores encryption and signing keys
Most commonly, TPM is used to store the volume encryption key for BitLocker, the drive encryption feature in Windows. BitLocker doesn't require a TPM; keys can be stored on USB drives or in your brain. But if you do have a TPM, BitLocker can make use of its boot-time attestation features, which help to protect against certain attacks. Linux has supported the TPM since kernel version 2.6.12. The TPM API is open and can be used by any software procedure that needs a secure place to store keys, and any operating system that wants to take advantage of boot-time attestation.
UEFI is designed to work without a TPM. In fact, a default UEFI build won't even notice it. But UEFI can be instructed to use a TPM, if present, to construct and compare the hashes of binaries during the boot phase, measuring current behavior against known good previous behavior.
- Top
- Bottom
Comment
Comment