And this is why.

Story: Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitchTotal Replies: 8
Author Content
Ridcully

May 07, 2016
7:17 AM EDT
Anyone who has read my article "A Kmail Breakthrough", will know that in the first couple of paragraphs, I stated that I chose my new 64bit laptop precisely because it did NOT have UEFI. I realise this story does not relate specifically to my article, but it forms part of the general background of utter distrust that I have with respect to UEFI. In a few more years, I guess UEFI will be ubiquitous and Linux will deal with it the same way it has dealt with any other Microsoft attempts to put potholes in Linux's highway to success and just roll on over it, but for the moment, UEFI and my humble self really, really don't like each other.
jdixon

May 07, 2016
8:15 AM EDT
There's no question in my mind that UEFI (especially with secure boot) is far more complex and opaque than it needs to be to. The few times I've encountered a boot problem with it, it seems to have been easier simply to reinstall the OS then to try to repair it. Of course, these were Windows 8 machines.
nmset

May 07, 2016
9:26 AM EDT
UEFI per se is not to be thrown in the bin. OEMs have bent to Microsoft's will as far as secure boot is concerned, this does not mean UEFI is designed with evil goals. Suppose a sensitive facility like a power plant or a water purifying one uses Linux only client/server hosts. It would be real security if it can be guaranteed that all machines can be booted as intended by the company. Secure boot is here helpful even for Linux, with custom certs in the hardware. What OEMs have done due to Microsoft's blackmailing does not imply more than that.

Of course I don't like the idea that my laptop has a MS cert inside, even with secure boot disabled, but then I could have bought one without, except that it's significantly more expensive.
dotmatrix

May 07, 2016
11:08 AM EDT
Microsoft ruined UEFI by requiring manufacturers to include its certs and preclude any other cert.

Even laptops purchased without an OS have the MS cert. You still need to disable UEFI in order to boot GNU/Linux... but this is only because of Microsoft's backhanded deals.

When I have more money... hahaha... I would like to buy a few machines to experiment on... remove the EEPROMs, make backups of the data, burn coreboot and seabios, test, and report here:

https://www.coreboot.org/Supported_Motherboards
Ridcully

May 07, 2016
5:40 PM EDT
"nmset", you just increased my distaste for UEFI - you used the magic word "blackmail" as an adjective for Microsoft. Do you ever, ever really trust a blackmailer to do the right thing ? Do you really believe that UEFI was purely designed for security alone ? Just my 2c.
penguinist

May 07, 2016
7:14 PM EDT
I think it's important to factor discussions on this topic into two separate parts, UEFI and Secure Boot. I know it's easy to lump the two together but we miss some insights if we do.

UEFI is nothing more than a replacement for BIOS. Granted, it brings complexities but it also brings new features.

Secure Boot on the other hand is a way to lock systems. One can argue that some systems should be locked like the power plant example earlier in this thread. But I fear that Microsoft likes holding the keys to all computer systems.

My opinion, probably shared by most here, is that control of systems belongs to the user, the one who purchased and owns the system. That user might be a power plant or it might be an individual. Microsoft, on the other hand, would like to force users to submit to Microsoft's control of their systems. This is another evil action taken by an evil company.
Ridcully

May 07, 2016
7:54 PM EDT
Thankyou penguinist. I tend to look on the two as a "single brick", and that's wrong given your above explanation. Part of the problem I believe is that different computer manufacturers are able to implement their own versions of UEFI and Secure Boot and what you can do in one computer simply will not happen in another (I'd like to be corrected on that if I'm wrong).

The way I currently would see it is this. If ALL the computer makers agreed to include two things: first, the ability to switch UEFI into legacy BIOS mode; and second, the ability to turn Secure Boot off, then I think things might become just that little bit easier. Sooner or later, I guess I am going to have to learn how to use (and not use) UEFI and its associated Secure Boot - but not just yet.
nmset

May 08, 2016
4:30 AM EDT
>Do you really believe that UEFI was purely designed for security alone ?

penguinist just replied the two factors implied.

>control of systems belongs to the user, the one who purchased and owns the system.

We all agree with that, OEMs don't, and competition is tough.

>the ability to switch UEFI into legacy BIOS mode

Kind of it already exists, I don't remember this functionality's name and don't want to reboot right now, but the UEFI config allows something like that.

> the ability to turn Secure Boot off

This was a requirement of Microsoft with Windows 8.0/8.1, apparently (not sure), it's no longer required for Windows 10.

All in all, UEFI in itself is not bad. Secure boot is not bad. The real world is bad, always more money is bad, more control is bad... the human species is bad... Tibetan priests are right, zen !
JaseP

May 08, 2016
4:40 AM EDT
With UEFI secure boot, the devil's in the implementation. It would have been fine if the user had a way to add and generate their own keys (even with external apps to generate them). The problem is that the "standard" (using quotes to diminish the term) was essentially hijacked by MS as the perfect opportunity to vendor lock PCs.

For fear of DOJ reprisals and consumer backlash, they acquiesced to freely distribute keys to major Linux distributions on the cheap... That doesn't take away from the fact that a rather drastic solution was implemented to solve an almost non-existent problem.

By the way, I use secure boot on the PC I'm writing this with. No issues so far. Secure boot, didn't, by the way, prevent the machine from getting malware when it was still running Windows (I was required to run Windows for a Comp. Sci. BS degree program I finished not too long ago). But, as long as you are running a distro that supports secure boot, you should have next to no issues running Linux on a machine that has it activated. The only "major" issue during installation is in creating a boot partition, where you might normally forgo a separate partition for that... Otherwise, no issues...

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!