Funny how Microsoft does this just before the October EOL deadline for Windows 10, when a whole bunch of hardware is being forcibly obsoleted...
So... microsoft has positioned itself between common users and Linux... and as an authority of sorts.
if only people had predicted this way back when it came out
There is even a whole section in Wikipedia on issues and criticism with secure boot:
https://en.m.wikipedia.org/wiki/UEFI#Secure_Boot_criticism
Some people argue that one can work around such locking down of PC hardware. Do this or that to avoid issues with substantial tinkering.
But that is not a bug but a feature. Sure, as a technical Linux user you can work around some nastiness. Like working around privacy invasion on Facebook or Linkedin by "adjusting" settings, or "adjust" settings in Wimdows to make it more private and so on. The thing is: working against the platform becomes quickly a losing game, because you don't control the platform - Microsoft does. And it does not help you if you manage to re-gain control of your device after some hours of tinkering if 99.9% of people around you don't have the knowledge and time and store your data, photos, Emails on OneDrive and so on. Freedom is very much a collective thing and software freedom is no exception.
And this does not mean that the thinkering and hacking is in vain - but it is not enough. We need the practical right to control our devices.
well said
Being beholden to Microsoft doesn't sound like something anyone needs.
Until that ends I'm doing best to avoid secure boot. I don't want to.
You can self-sign and self-enroll secure boot keys. Can’t say it’s an easy process, though - I had a lot of misery with it on my Surface Go 1st Gen. Might be better on my Thinkpad.
thus turning computers into phones, where you have to do a complicated unlocking/rekeying process to install your own OS.
That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot. You can unlock the bootloader on a Pixel, install GrapheneOS, and relock the bootloader just fine. Several other manufacturers allow bootloader unlocks no problem. The main reason you can't on some popular phones is US carriers, even international Samsungs you can unlock the bootloader and flash whatever you want on it.
I'm literally typing this comment on a phone running a custom OS (LineageOS on a OnePlus 8T). I'm literally 2 versions of Android ahead of the latest supported version. I also have a Galaxy S7 running Android 15, a phone that officially tops out at Android 8 and launched with Android 6. Both you literally just toggle the bootloader unlock option in the settings, no hacks no craziness, it's literally a feature.
At this point you're just straight up making shit up.
That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot.
I mean Windows PCs with ARM CPUs which have Secure Boot, not Android smart phones or embedded devices.
Nope. Even Qualcomm themselves provide what's needed to run Linux on the Windows for ARM PCs.
The only one I can't find for sure is whether there's any lockdown on the firmware for the Microsoft Surface and Copilot+ laptops, but I'm also not finding any sources pointing that it would be. But at this point you're buying Microsoft hardware, what do you expect.
I thought it was a Microsoft centric thing in that the certificate authority was either Microsoft or signed by Microsoft?
Maybe I need to read about it more? Can you direct me to the general area?
Microsoft's keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can't be removed, but not because it's not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
Thank-you. Recently rebuilt my Arch Rescue build and saw that section in doing the UKI dance.
I don't mind the Microsoft keys being there at all. I just don't think tying myself to them is particularly clever.
From your final part. I think I need to go back and reread it. Thank-you again.
Here
https://en.m.wikipedia.org/wiki/UEFI#Secure_Boot_criticism
is a list of problems and criticism on Secure Boot.
Oh. Thank-you. I'll read through.
As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong. I didn't use secure boot then though so I don't know if it would have still booted Windows. But I imagine it would.
That said, I've always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don't depend on Microsoft's keys and shim or anything, clean proper secure boot straight into UKI.
That said, I've always just enrolled my own keys.
That is far more complex than a firmware update and also depends on a correct implementation of the spec in the BIOS - which, given the experiences with ACPI for Linux, is not at all something one can rely on.
It has nothing to do with ACPI whatsoever. And firmwares this broken are the exception not the rule.
ACPI, especislly as it was at the beginning, is a good example that formally having a spec does not guarantee interoperability: You might get running Linux on some Laptop, but this does not guarantee that essential things like power management work.
As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong.
Seems it compares the expiration date of the UEFI key with the signature date of the bootloader / OS keys. (See the comments on the LWN article, some are far more knowledgeable than I am.) So, no, it does not require a working on-board clock to lock you out if you are not extremely careful and fully understand each part.
I think this already bites people, it has started, it's not in September but now?: https://x.com/rogerioperdiz/status/1946873449537798582
I just tried to distro-hop and found my BIOS had been locked with a password. Assuming I didn't set a password that I subsequently forgot (and that isn't one of the many I have memorized), I figured this might have something to do with the age of the laptop (I have a HP 4540s). If certificate expiration is already affecting people then this might be it.
EDIT: I just forgot I set a password, and it took me 2 days to realize that I was stupid enough to have set the password that I used for everything when I was 12 years old.
How did you bypass the password?
Not OP, but BIOSes often give you a specific error code after a few wrong password attempts. You can put the code in here to recover the password: https://bios-pw.org/
I didn't. And apparently you can't without trying to short-circuit the motherboard. I just assumed, and assumed wrong.
The details are complex; it has humorously been called "security by security".
Hobby Linux users could, as far as I understand , simply disable UEFI secure boot (after weigthing carefully what secure boot provides to them, and what it does not provide). Otherwise, they'll need a firmware upgrade before any upgrade to a new OS / bootloader chain.
Small companies which use old laptops with Windows might be bitten hard by this because they can become locked out of their hardware with no way to update it, or even make a backup!
And by the way, Intel motherboards which are running your Linux system may contain a copy of Minix - yes, the Minix from the historic Tanenbaum vs. Torvalds debate - which runs below the OS in the system management mode engine and is controlled by the vendor, which can e.g. update firmware via the network. SMM is normally not visible by the user but it can cause problems e.g. for real-time applications because it has higher privileges than the kernel and can interrupt all of the kernel at any time.
For a home desktop that's never left unattended with anyone untrustworthy, I don't see that Secure Boot is worth the effort in setting up.
Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.
The best security is not running untrusted software to begin with.
If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This probably requires root or admin in the first place, but if they can install a malware loader, they can establish persistence so that even if you remove the os-level components, they'll be reinstalled on reboot.
If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This is technically correct, but on a desktop system, malware executing in user space is normally already game over. It can exfiltrate and send your passwords or ssh private keys, change browser certificates or browser software, add user systemd sessions or crontab entries and can generally e.g. do everything a banking trojan would like to do.
Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.
It works for Windows because theoretically only Microsoft would have the signing key and it's not just sitting on disk somewhere. But then you're just trusting Microsoft, and also subject to vendor lock-in.
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0