He's probably speaking to the deaf

Story: Secure boot: Microsoft shows up Linux Total Replies: 69
Author Content
tracyanne

Dec 14, 2012
5:55 PM EDT
It's unlikely that the Linux tribes will even hear this, or on hearing it ignore it.
penguinist

Dec 14, 2012
6:23 PM EDT
The author is incorrect on one point:

Quoting:At the moment only one DVD (corrected) can be booted on a Windows 8 computer with secure boot - Ubuntu 12.10 64-bit.


In fact, Fedora 17 64-bit and Arch 64-bit are also bootable on a UEFI system.
tracyanne

Dec 14, 2012
7:15 PM EDT
a very minor point, would you agree
tuxchick

Dec 14, 2012
7:50 PM EDT
Since there can be only a single platform key, the Linux Foundation does seem like a logical candidate to operate it.
linuxwriter

Dec 14, 2012
8:52 PM EDT
thanks penguinist for pointing out that two other DVDs can be booted. i will test this out over the next few days and write something.

Sam
linuxwriter

Dec 14, 2012
9:00 PM EDT
BTW, I tested the beta of Fedora 18 and it could not boot on my secure boot-enabled box.
linuxwriter

Dec 14, 2012
10:27 PM EDT
I have tested both the releases mentioned, neither can boot on a machine with secure boot enabled. UEFI and secure boot are not one and the same thing; the latter is a subset of the former and it is perfectly possible to have a PC with UEFI but no secure boot enabled.
tracyanne

Dec 14, 2012
11:49 PM EDT
@linuxwriter: This probably would not be the case, if the Linux community had worked together (through the Linux Foundation for example), to ensure that Microsoft did not have this sort of control over UEFI equipped computers.
penguinist

Dec 14, 2012
11:51 PM EDT
@linuxwriter: Here are my details.

I recently bought an Asus Zenbook Prime UX31A Ultrabook which came with Win7 pre-loaded and UEFI enabled (and no visible way to disable UEFI in the bios). On that system I shrunk the win7 partition down to 32GB, and repartitioned the rest of the drive using parted to create three additional 30GB OS partitions and one large /home partition. Then I installed a quad boot consisting of:

Fedora 17 - 64bit (xfce spin)

Xubuntu 12.10 - 64 bit

Arch - 64bit

Win7 - 64 bit (the unmodified original pre-loaded installation)

Now, on bootup, I am presented with the UEFI loader showing me the above four options to choose from, all of which boot up successfully.
tracyanne

Dec 15, 2012
12:06 AM EDT
@penguinist: Now try that with a Windows 8 equiped machine, where a Microsoft signed key is required, if you can't or don't know how to disable "Secure boot" you are not going anywhere without that Microsoft signed key.

This is a situation we would most likely not be experiencing, if as a community (and by that I mean all those individuals and companies that use Linux), we would not be in this situation. The degree of selfishness and simple ignoring the problem in the false hope that it would go away or be fixed by someone else has been astounding.

If the community had come together Microsoft would not now have this much control, but because so many of us, who are in a position to actually create the sort of pressure needed, simply ignored the issue, the reality is we must go cap in hand to Microsoft.
tuxchick

Dec 15, 2012
12:12 AM EDT
I think there is still some confusion...UEFI is the new next-generation replacement for the creaky old PC BIOS. Secure Boot is just one feature in UEFI. Most Linuxes should support UEFI. Secure Boot is a separate problem.
linuxwriter

Dec 15, 2012
12:30 AM EDT
@tuxchick carla, linux has supported UEFI for quite some time. as you mention, it's the secure boot that's the problem.

@penguinista buy yourself a nice, new laptop with windows 8 for christmas. then try to install linux. and come back here and tell us the tale :-)
penguinist

Dec 15, 2012
12:56 AM EDT
I guess I was lucky to get one of the last win7 models.
tracyanne

Dec 15, 2012
5:45 AM EDT
Gee, I guess you were. Pitty all those Wi dows 8 users who might like to try Linux.
notbob

Dec 15, 2012
11:05 AM EDT
So, am I to believe all hardware makers are now making computers fully compliant with Microsoft's edicts, that no hardware maker is making a UEFI/secure-boot free computer? That doesn't sound possible or even probable.
lando

Dec 15, 2012
12:41 PM EDT
I guess I am trying to figure out how having multiple approaches to overcoming the "secure boot" (kinda ironic when considering this relates to a M$ os) issue is a bad thing. As much as this author claims to be a on board as a Linux user he somehow completely missed the boat when it comes to the primary strength of open source development.

As the top comment points out this article is not for anyone who has half a clue as to how OSS works. Me thinks this is a FUD, yet who is the target audience?
tracyanne

Dec 15, 2012
5:43 PM EDT
@lando, boy did the whole point of the article whizz right past you.

Solving the problem that a Microsoft controlled and signed key is now required on most of the non apple computers sold, is a necessity, because the Linux community DID NOT work together to stop Microsoft having this sort of control over UEFI, in the first place.

The fact that one or many solutions are now being sort, and or required, is necessary because of short term me-ism, and the inability of the group (the Linux/OSS community) as a whole to come together to STOP THIS FROM BECOMING THE PROBLEM IT IS from happening at all.

"...who is the target audience?" Not you apparently, as based on the attitude you have espoused, you are part of the problem.
tracyanne

Dec 15, 2012
6:08 PM EDT
@notbob, probably not all computers, but enough, probably most (that aren't Apple), For certain ZaReason won't be building computers that require a Microsoft controlled and signed key, Nor I suspect will other Boutique Linux pre installers. Nor probably Mother boards for those who build their own.

But of a certainty all computers that come with Windows 8 pre installed. Some will be relatively easy to disable, others not. The problem isn't whether technically proficient computer users can override the UEFI/Secure Boot, but how easy it is for non techy people to try Linux on their existing Windows equipped computer.

Yes several distros have a solution... one that would not be necessary if the community had worked together to stop Microsoft's control of UEFI with their "Secure Boot"... and the fact that these are among the most likely to be tried by potential new users is a good thing. But they all require a key that Microsoft has signed, and therefore controls, and can blacklist at any time.

From my point of view it's not really an issue, as I will simply not purchase computers with Windows installed, and have not done so for several years now. Purchasing, as i do, from companies that supply Linux pre installed.

The problem Microsoft's control of UEFI creates, as was intended by Microsoft, is that it slows the uptake of Linux by ordinary non technical computer users, who would actually benefit from Linux on their computers. The only glimmer of a silver lining here is that Microsoft's share of Computing devices, according to Goldman Sachs, is only about 20% of the total market (the corollary of that is that the Linux desktop share is still minuscule).

BernardSwiss

Dec 15, 2012
10:35 PM EDT
I think this discussion is completely off the rails from the get-go. It's based on a basic and remarkable misapprehension. And Sam Varghese definitely ought to know better.

The issue was never one of "getting the FOSS/Linux community to work together" -- that's a distinctly FUD-y re-writing of history that smells of clever PR "framing".

Rather, the the real issue, the really hard problem, was how to persuade essentially ALL (or even just most or "enough") of the OEMs and motherboard manufacturers to commit to properly implementing sensible, reasonable EUFI Secure Boot implementations, rather than just enough to keep Microsoft happy. At least on hardware targeted at "consumer" systems.

The multitude of "independent" approaches to pursuing a practical solution were the second option, the "Plan 'B'", undertaken only after pragmatic assessment that the efforts to get "enough" OEMs on board were proving to be fruitless and, realistically, destined to remain so.

Fettoosh

Dec 15, 2012
10:41 PM EDT
Quoting:The problem Microsoft's control of UEFI creates, as was intended by Microsoft, is that it slows the uptake of Linux by ordinary non technical computer users, who would actually benefit from Linux on their computers.


@TA, I see it a little differently.

Ordinary non technical computer users will mostly continue to use their existing computers with Win 7 or less, or some will switch to tablets as an upgrade.

Those who are going to upgrade to Win 8 will be unhappy because they will not be able to run some of their current games and applications that require and need to access the hardware directly, which Secure Boot in Win 8 environment does not allow per MS Secure Boot specification. Isn't this the reason why some of the game outfits are developing for Linux and possibly abandoning future Windows platform (win 8)?

I think MS will be hurting itself with such attitudes and I think many users will be tempted to try Linux as an alternative.

tracyanne

Dec 16, 2012
3:11 AM EDT
@Bernard convincing the oems was and is the problem that could have been solved if the linux community had worked together to pressure the oems. But that never happened, the likes of IBM, Canonical, Red hat etc ignored the issue until it was too late and were forced to implement solutions that rely on Micosoft
jdixon

Dec 16, 2012
9:48 AM EDT
> ....because the Linux community DID NOT work together to stop Microsoft having this sort of control over UEFI, in the first place.

That should be the job of the Linux Foundation, but, as usual, they were asleep at the switch.
linuxwriter

Dec 16, 2012
11:48 AM EDT
@BernardSwiss

Don't shoot the messenger. There is no re-framing of anything by me.

It was a member of the Linux community, Matthew Garrett, who first detailed the problems that secure boot would pose. He did this back in September 2011.

When numerous media outlets wrote stories based on Garrett's post, it should have been picked up by all the companies that make money off Linux. They should have started moving at that point.

Instead. each looked to what would benefit them the most. Since only Canonical and, to some extent, SUSE, are looking at possible desktop business, the question of what desktop Linux users would do in the face of secure boot didn't rate very high with the companies.

It is a shame that one individual had to buy a key, and put the code out there, for a pre-stage bootloader that the smaller distros can use. And Red Hat is a billion-dollar company!!! There has been no leadership or direction shown in this matter. It is a sad state of being indeed.

Sam
jdixon

Dec 16, 2012
1:07 PM EDT
> There has been no leadership or direction shown in this matter. It is a sad state of being indeed.

Correct. And there never will be. The Linux Foundation is not interested in desktop Linux. They never have been and never will be. If we want a unified voice for desktop Linux, we'll need to find a way to create one. The fact that the Linux Foundation doesn't speak for desktop users has been noted for years now.
Fettoosh

Dec 16, 2012
1:54 PM EDT
Quoting:Correct. And there never will be.


I agree for now, but in the long run, The Linux Foundation will start to care about the Linux Desktop when the Linux Desktop starts producing revenue for Distro/OEMs,

The Linux foundation is by and for companies making revenue from Linux.

jdixon

Dec 16, 2012
2:03 PM EDT
> The Linux Foundation will start to care about the Linux Desktop when the Linux Desktop starts producing revenue for Distro/OEMs,

The Linux desktop does make money for all kinds of OEM's. They call it Android. The Linux Foundation largely ignores it too.
Fettoosh

Dec 16, 2012
4:37 PM EDT
Quoting:The Linux Foundation largely ignores it too.


That is because Google and the rest of the "Androidites" can handle marketing and don't need any help.

jdixon

Dec 17, 2012
4:00 AM EDT
> That is because Google and the rest of the "Androidites" can handle marketing and don't need any help.

Sure. But it's also because the recognize the Linux Foundation is useless for their needs. It's time we recognized that it's useless for ours too.
caitlyn

Dec 17, 2012
11:44 AM EDT
tracyanne, sorry, but you (and Sam Varghese) are way, way, way off base on this one. The greatest strength the Linux community has is that it isn't just one company, that there is no edict to follow, that there isn't one recipe everyone has to follow. That's why we have so many specialty distros that do one thing very, very well. It's why we have enterprise distros that, in one case, produced a billion dollar business. It's why we have desktop-centric distros and embedded device distros and, well.. you name it. The very nature of Linux insures that the various distributors will never work together because they all have very different interests. If you change that you change the very nature of all that is good in Linux. It can't work.

So... we don't have one solution, but as has already been pointed out we have three major ones that work well. Six months from now Matthew Garret's solution will have been widely implemented and we'll look back on this as one more speed bump that we got over despite Microsoft's best effort to lock out Linux.
linuxwriter

Dec 17, 2012
12:24 PM EDT
@caitlyn

There is not a single solution that works properly at the moment to let one install a Linux distro on a Windows 8 secure boot-enabled box. Ubuntu 12.10 64-bit desktop edition boots but installing it is another matter altogether. And I speak from my own experience, which I have written about.

Matthew Garrett's first-stage bootloader has yet to be incorporated into any of the smaller distributions.

Even if every distribution can boot on a secure boot-enabled box, it will be because of the goodwill of Microsoft. The company can always revoke any key it wishes to revoke at any time. Remember, it controls the key-issuing authority.

It can also raise the price as it wishes. Today the cost of a key is $US99. A year from now it may be $US5000.

Had the Linux companies got their act together, they could have obtained a solution which was not dependent on the goodwill of Microsoft.

It's not as though Linux companies haven't joined together on some endeavours, the Open Invention Network being one that comes to mind.

So, we can keep believing in Father Christmas. Or else we can accept reality.
caitlyn

Dec 17, 2012
1:17 PM EDT
You seem to forget that Secure Boot can be turned off and the Linux will run just fine. That doesn't require any goodwill from anyone. The security advantage of Secure Boot is dubious at best. I'm well in touch with reality. Nobody else wanted the key signing authority. Red Hat, Novell and Canonical all could have had it. Nobody wanted to spend the money to support it.

Believing that 600 Linux distributors, some of whom have conflicting interests, working together in unison is where folks are losing touch with reality.
gus3

Dec 17, 2012
1:50 PM EDT
Quoting:You seem to forget that Secure Boot can be turned off and the Linux will run just fine.
On Intel/AMD x86 platforms. Not so on ARM.

It's only a matter of time until Micro$haft decides to make the push to close x86 Secure Boot as well. If I were a betting man (that is, if I had the money to bet), I'd say the next version of Windows will "need" Mandatory Secure Boot to "fix" the coming security mess in Win8, just like every major release before was "needed" to "fix" the security messes-du-jour.

So, who wants to start manufacturing OpenRISC-based desktops?
Fettoosh

Dec 17, 2012
2:04 PM EDT
Quoting:Had the Linux companies got their act together, they could have obtained a solution which was not dependent on the goodwill of Microsoft.


Could have but not for sure.

Now, MS is telling OEMs "Do what I say otherwise your contract is revoked", what leverage do Linux companies have over OEMs and what benefits OEMs have if they lose MS handouts?

I don't see any so far at this time, but the new handheld devices and the Cloud are changing all of that by being dominantly Open Source based. The landscape is getting more open and MS can't keep control over it like it used to. MS is isolating itself by following the steps of Apple. It probably see itself better as a niche product supplier. See this & this, which I believe has a great potential to replace Windows desktops because of its very low cost factor.

Besides, getting all Linux companies together is not so easy. They are like herding cats each looking for itself and they also compete against each other and each wants to have its edge over the others. I believe Red Hat "accepted its reality" and saw its edge by going along with MS. I have a hunch that MG left Red Hat because of disagreement about this issue. Time will tell.

caitlyn

Dec 17, 2012
2:11 PM EDT
Fettoosh, I think you hit the nail on the head with a number of your points. The issue of the leverage MS has with OEMs is very real. Even if enough Linux companies and distributors had unified to create a solid solution it is highly unlikely it would have been accepted by the OEMs if Microsoft played hardball.

I guess what bothers me most about Sam Varghese's article and tracyanne's commentary is that it's blaming the victims.
lando

Dec 17, 2012
2:27 PM EDT
@tracyanne girl did the whole point of my comment whizz right past you ;)

I think one of the many reasons the "Linux community" does not mobilize is because of the defcon 5 approach many people in "the community" go to when replying to comments they disagree with.

I am not really a part of the problem. I was just pointing out the difference between a manufactured issue based on a unrealistic expectation of the "Linux community" and how it seems to historically work in the real world.

At best you can currently directly effect a project that you choose to take responsibility of. Much like Linus and the kernel crew did as the author pointed out. But to expect a "community" of disagreeing defcon 5ing individuals and groups to be able to congeal and overcome on a greater scale with a deadline to boot(pun) has just not happened yet.

So our current strength is in the diversity of solutions that solve a single problem in different ways. So instead of cursing the "Linux community" out for being the way it always has been, perhaps we should start by rejoicing in the fact that it exists and try to find ways to work with what we have.
Fettoosh

Dec 17, 2012
2:34 PM EDT
Quoting: I think you hit the nail on the head with a number of your points.


Thanks to the Open Source ideas. :-)

Quoting:I guess what bothers me most about Sam Varghese's article and tracyanne's commentary is that it's blaming the victims.


I guess Sam misses on seeing the realities he speaks of.

And @TA, she is a hard core supporter who likes to demand action. :-)

vagabondo

Dec 17, 2012
3:01 PM EDT
@gus3

Can you name ANY devices that support UEFI secure-boot where secure-boot cannot be turned off and where the owner cannot add their own key(s)? I think that you are confusing the minimum MS conditions for MS Win8 compatibility with what is/will be available from device manufacturers.

For business Linux users this is a non-issue. We buy our desktop machines (mostly from Acer) with Linpus or, more recently, FreeDOS, because we have no need of MS software and the machines are considerably cheaper without it. The only people affected are hobbyists who use MS Windows8 and want to play with "live CD/DVD distros", or who want to dual-boot to play games etc.

The Linux Foundation is primarily concerned with the development of Linux (kernel) source code. Secure-boot keys are a concern for the distributors of boot-loader (GRUB and LILO) binaries.

I am anticipating that we will be loading the desktop machines that we support with our own keys. This will prevent unauthorized booting from alien USB devices, while making it simple for a local operative to boot one of our recovery systems and hopefully permit us to perform a remote repair of a damaged system.

I think that the article was intended as a FUD piece. The target was the collection not very technical Internet commenters and bloggers who would amplify the casuistry. The false message will then be taken up by the general media (who rely on marketing press releases and random Internet noise for their technical "expertise") and delivered as "Linux cannot implement modern data security" to the General and Financial Managers/Directors who are the key decision makers.

linuxwriter

Dec 17, 2012
6:02 PM EDT
I think everyone would like to believe that Microsoft will finally play nice with the free software and open source people. That's like trusting a dog to look after fresh meat, without eating it. Why do you think the company decided to implement secure boot at all? For security reasons? If you believe that, then I have a number of things I'd like to sell you.

There are two simple things which could have been devised if the Linux vendors - and I don't mean all 600-dd, I mean the bigger ones - had spoken to the hardware vendors. One, provide a means to turn off secure boot right at the booting stage with a simple pop-up. Second, provide a means to turn it off from within Windows 8.

Have any of you, who are are so free with your comments, sat and watched while a Win 8 box with secure boot on, goes through the boot process? I have. You are talking about installing additional keys as though it is as easy as eating cereal - have you tried this yourself? I have.

The Linux Foundation serves as a central place for all the Linux vendors, with their competing agendas, to contribute to the development of the kernel. It is precisely because of the competing agendas that one needs such a body. No-one is asking them to do anything other than act as the equivalent of the UN secretary-general. If secure boot was not a concern, why did the Foundation, through James Bottomley, try to get a first-stage bootloader ready? (Matthew Garrett beat them to it).

The defence of the uninformed is that something they don't want to believe is FUD - though they are never specific. The frog in the boiling water approach is not one I advocate - water does have a definite point at which it scalds.
caitlyn

Dec 17, 2012
6:27 PM EDT
Nobody said Secure Boot was not a concern. Nobody believes that Microsoft will play nice. Everyone understands that Secure Boot is about lock-in. That doesn't mean we have to agree with Sam Varghese or tracyanne or you, linuxwriter. This ins't all black and white. It's all kinds of shades of grey. Get off your high horse and stop blaming the victims and definitely stop putting words into the mouths of those who disagree with you.
tracyanne

Dec 17, 2012
6:57 PM EDT
Quoting:So... we don't have one solution, but as has already been pointed out we have three major ones that work well.


And they all depend on Microsoft's munificence. The fact is Microsoft controls UEFI with it's Secure Boot key. Each of those "'solutions" is a solution to a problem that exists due to apathy in the community. You simply cannot purchase a Windows 8 equipped computer, and hope to try any Linux on it without the minimum of a boot loader signed Microsoft's key.

That makes those terrible solutions to a problem that should never have happened in the first place.

While it's wonderful that the community in it's diversity has come up with 3 (only 3, I thought we were better than that) solutions, they are solution in reaction to a problem that should not have occurred if the community had been proactive.
BernardSwiss

Dec 17, 2012
9:44 PM EDT
The question I'd like to ask is, who in the "Linux Community" had a strong interest in supporting/pushing Linux on the Desktop, and also had enough stature in the eyes of OEMs and manufacturers of consumer-grade systems, to make the Linux-friendly (or even OS-neutral) opinions carry any weight against the semi-covert displeasure of Microsoft (sole supplier of a business-critical component)?

You and I can rant all we like -- Linux users at home and in small businesses are seen, rightly or wrongly, as "enthusiasts" and not as a significant market. Novel has been... otherwise engaged... Where is SuSE now? Mandriva has had other concerns as well.

Red Hat has clout, but evidently doesn't much care -- Red Hat's business is mostly Linux server support, and some mostly derivative investment in business (not consumer) Linux desktop deployments. Ditto IBM. It's disappointing that they didn't do more. They could have made a difference. But they aren't going to be much affected by the "MS Restricted Boot" hassles. They might not have helped much, but they didn't hinder, either.

Now Ubuntu is supposedly all about the Linux desktop and "ordinary users". Canonical might have had some actual ability to influence the way this played out -- but instead Canonical chose to adopt a "looking out for number one" approach (too bad if it hurt the competing distros, ordinary users, and the cause of desktop Linux adoption as a whole -- it looked like a chance to carve out a position as one of the gatekeepers).

So if one has to blame any particular entity (aside from MS and the OEMs) Shuttleworth, SABDFL at Canonical, is arguably, easily the most viable target on the Linux side of the action, for this accusation. Shuttleworth was willing to cut a "special deal", one that effectively and very visibly undermined the very philosophy that he supposedly shares with the Linux community. A deal that said, Don't worry about this Secure Boot cr@p, or enabling users, or stuff like that -- it's perfectly OK to arbitrarily tie the hardware to a particular, preferred OS, as long as that OS is from a company that has sufficiently hefty financial clout. Just because it's Linux makes no difference. (Actions speak much louder than words or Press Releases).

But as far as I can make out, blaming "the Linux Community" just doesn't make a lot of sense, here.

tracyanne

Dec 17, 2012
10:22 PM EDT
Quoting:who in the "Linux Community" had a strong interest in supporting/pushing Linux on the Desktop, and also had enough stature in the eyes of OEMs and manufacturers of consumer-grade systems


That's the problem. Ed Hat, Canonical and SuSe, probably, but Red hat aren't interested in consumer desktop systems, nor it would seem are SuSE, that leaves Canonical, who seem to have preferred to go it alone anyway.... or maybe were forced to, due to apathy from everyone else.

What is interesting is that there are several OEMS who are part of "the Community", the likes of HP who build systems, for example, which really boils down to the fact that individually and as a group, those members of the community who can influence OEMS, don't give a rats about desktop Linux.
vagabondo

Dec 18, 2012
2:27 AM EDT
But why exactly should SuSE, Red Hat, or any of the many thousands of companys that supply and support Linux desktop systems care very much about Microsoft's key-signing arrangements? They do not overly concern us or our customers BECAUSE WE DO NOT USE MICROSOFT WINDOWS 8. Only (some) users of MS Win8 on machines that have been supplied with that o.s. pre-installed, and who want to multi-boot with other o.s are affected. If I am wrong please explain how this "issue" affects me or my clients.

FWIW I just checked our usual supplier's web site. They list 22 desktop and 104 laptop models with Win8, 66 and 104 with Win7, and 21 desktops with FreeDOS or no o.s. Of the models sold with Win8, about a third are actually supplied with Win7 installed plus an "upgrade" to Win8. I think that means that at the moment only a minority of MS Windows pre-installed machine purchasers seem to be affected.

In the future I expect MS to prevent/frustrate the OEM versions of their desktop o.s being installed on devices without MS secure-boot keys (i.e. behave like Apple and OSX). Only the more expensive retail and MSDN editions will be installable on generic machines. If MS and device manufacturers try to lock out FOSS (as opposed to locking in MS Windows), I would expect them to fall foul of anti-monopoly legislation.

If anything, the bonus of secure boot for FOSS users in a business setting would be if it frustrated the unauthorized booting/installation of untrusted, insecure MS software.

tracyanne

Dec 18, 2012
3:18 AM EDT
Quoting:If anything, the bonus of secure boot for FOSS users in a business setting...


And what about not in a business setting, I can think of quite a few people (who aren't particularly technically proficient, but are game enough to try installing a linux like Mint or Ubuntu, and who are unlikely to be following the Secure boot issue) who are likely to buy a windows 8 pre installed machine with the intention of installing Linux, simply because they aren't aware, or forgot in the heat of the moment (ie the Windows machine was cheap) that they can buy a no OS or Ubuntu pre installed machine. They are going to be in trouble unless they have a bootloader that has been signed by Microsoft.
vagabondo

Dec 18, 2012
5:27 AM EDT
@tracyanne > And what about not in a business setting,

Selective quoting of part of a sentence was tawdry. If the condition is not met then the consequences do not apply. there is no implication for any other argument.

I did acknowledge that there was a concern for some MS Win8 users that want to multi-boot. I do not think that this applies to typical Red Hat, SuSE, etc. customers. I imagine that Mint et al supply instructions to MS Windows users, explaining how to download and prepare a boot CD/DVD/USB flash drive. Will they not just add instructions covering how to turn off secure-boot, and/or install a signed pre-boot-loader, etc.

Why do you think that only Microsoft can sign a boot-loader other than for MS Win8? Do you have a reference? I thought that choosing MS was a matter of convenience (tools) and cost.

I cannot see Microsoft being over co-operative with the provision of a general-purpose pre-boot-loader. Once another o.s. is loaded (even another MS o.s.), and the Win8 partition mounted read/write, any putative enhanced security would be moot.

BTW we buy desktop machines without MS software because they are quite a lot cheaper than the same or equivalent with MS. For the few (low end) laptops that we buy it's vice versa and worth replacing the hard drive (we store the original until the warranty has expired or the machine is disposed of). The time and effort of returning and reclaiming the cost of the MS licence has never been felt worthwhile (although I have been told that it is relatively painless with purchases from Amazon).

tracyanne

Dec 18, 2012
5:55 AM EDT
@vagabondo

I Think you have Somehow missed the whole point and Some howMissed fhe fact that In order to boot any Linux distro on a "Secureboot" enabledmachine requiresamicrosoft Signed boot loader

T he Problem with providing instructions on how to disable "secure boot" is that it can be different for different OEMS for different machines by an OEM

For skilled, techies its not such a problem for unskilled non techies I that could lead To a Slower up take of Linux

I hope I'm Simply Pessinishic •, that I Completely Misunderstand the scope of the Problem
DiBosco

Dec 18, 2012
9:00 AM EDT
If you can disable secure boot, then load and boot into Linux, and this secure boot is nothing to do with actual security, what is the problem? What am I missing here? I've seen so much written about this secure boot and I still don't understand it.

@vagabondo

Quoting: In the future I expect MS to prevent/frustrate the OEM versions of their desktop o.s being installed on devices without MS secure-boot keys (i.e. behave like Apple and OSX).


I have a 17" Macbook pro that purely runs Linux. (I bought it because it was hands-down the nicest hardware available and no more expensive than Dell's, Sansung's and other's nearest equivalent, and the idea of getting something that good without Windows is laughable.) There is no problem installing and running Linux once refit is installed. Seems to me Apple are *less* restrictive than MS the way things are going. (Maybe I miss your point though.)

PS I utterly detest Apple and am so embarrassed I bought a Macbook that I covered the Apple Logo with a penguin so people on trains don't think I am an Apple fan.
CFWhitman

Dec 18, 2012
10:35 AM EDT
If Secure Boot could be turned off from within Windows 8, it would defeat the whole purpose of having it there in the first place (regardless of whether you think it's actually a security measure or just an effort to prevent other operating systems from being loaded). Rootkits could just turn of Secure Boot before installing themselves (or users could just turn of Secure Boot before installing an alternate system).

The problem I see is that the various Linux distribution makers do not have the clout with OEMs to oppose the Secure Boot policy that's been adopted. Secure Boot isn't an issue on servers because servers don't run Windows 8, and a lot of servers don't run Windows at all. However, none of the Linux distributors have any pull when it comes to what the OEMs are willing to do with desktop class machines. The only reason that Secure Boot can be disabled on Windows 8 machines at all is because of concerns over lawsuits based on monopoly abuses by Microsoft. These same concerns will likely keep it from ever becoming mandatory on Windows desktop machines, but Linux OEMs won't have any influence until a more significant percentage of desktop machines run Linux (although it is just reaching the 2% mark altogether, which is interesting).

If anything, businesses that are increasing deployment of desktop Linux have a more immediate influence on this policy that the distribution makers. The percentage of desktops that they deploy is higher than the general population, and their buying power brings some respect. I wouldn't be surprised to see business desktops/workstations with setups of Secure Boot that are significantly more straightforward to disable.
caitlyn

Dec 18, 2012
1:11 PM EDT
Quoting:Linux OEMs won't have any influence until a more significant percentage of desktop machines run Linux (although it is just reaching the 2% mark altogether, which is interesting)
You're repeating tired old FUD here. The latest numbers we have, from Forrester Research, puts Linux at 9% of the desktop.

You can't trust web counter numbers because that leaves out almost all corporate/enterprise machines which live behind proxies or, in many cases, don't have Internet access at all. Where I work we have a ton of Linux on the desktop and the next planned series of rollouts should push us into the thousands. Guess how many of those have Internet access? It's not zero but it's way under 1%.
CFWhitman

Dec 18, 2012
2:21 PM EDT
Quoting:You're repeating tired old FUD here. The latest numbers we have, from Forrester Research, puts Linux at 9% of the desktop.


No, I'm not. The Forrester Research numbers don't even claim to be for the desktop in general. They only refer to business desktops, mostly of larger enterprises. That is why I said what I said in my third paragraph.

There are no good numbers for the Linux desktop in general. However, even the percentages that people continually try to claim stay at 1% forever, counters from the more unbiased Web sources, have actually more than doubled in the past several years (going from about .8% to 2%), and that is significant (I'm sure Microsoft thinks it is). These numbers have risen even more when talking about raw numbers and not percentages. However, these numbers are still not high enough to influence OEMs when it comes to consumer aimed machines when compared to Microsoft's influence. Business machines may be a different story.
caitlyn

Dec 18, 2012
2:25 PM EDT
Business machines are what OEMs look at most, FWIW. I did an article in 2010 extrapolating data from a variety of sources and my best number for the Linux desktop then, overall, was 6-8%. I doubt it has decreased or is below business adoption.

Oh, and tere is no such thing as an unbiased web counter. As I mentioned before, a LOT of machines simply cannot be counted that way.
CFWhitman

Dec 18, 2012
2:40 PM EDT
I didn't say a web counter that gives accurate numbers. I said an unbiased one. That is, one not selectively using sites that favor particular customers/groups. I should have said "more unbiased" because it's almost impossible to be totally unbiased. Wikimedia sites are about the closest I know of, but even they favor some language speaking groups over others, which is likely to slant the numbers away from Linux a bit. Also, of course large non-connected deployments won't show up in Web counters.

Business machines are what OEMs look at when making decisions about business sales. Consumer aimed machines are a different concern.
jdixon

Dec 18, 2012
7:30 PM EDT
> If anything, businesses that are increasing deployment of desktop Linux have a more immediate influence on this policy that the distribution makers

With the possible exception of Red Hat, SuSE, and Canonical; they probably do. Did you see any of them using it for the benefit of Linux users?

> I wouldn't be surprised to see business desktops/workstations with setups of Secure Boot that are significantly more straightforward to disable.

And fortunately, those machines will be readily available via the off lease market in just a few years. But that doesn't solve the immediate problem.
BernardSwiss

Dec 18, 2012
9:09 PM EDT
@vagabondo

It's quite likely that business/enterprise-oriented systems will generally be provided with more sensible UEFI Secure Boot implementations.

But "regular Joes" -- who bought their laptop at Best Buy or even from Dell (the "affordable" consumer-ized models, not even in the same web-store as the business models) -- who might otherwise consider trying Linux, will be faced with a lot of arbitrary and confusing hassle, and scary red "WARNING!" screens about how awfully dangerous it is to disable Secure Boot.

Add to that the potential problems that will accompany (details depending on specific OEM and even model) trying to run a Live CD or Live USB Linux distro (not to mention Parted Magic, Clonezilla and various other utility suites/rescue tools which even Windows-fans use) and the barriers to user migration increase exponentially.

For example: Just last week an acquaintance of mine was complaining about how her Windows 7 netbook was much hassle the had almost stopped using it, because every time she turned it on all sorts of scans and updates (and decisions not only about whether to trust/allow the update, but offers to also install other software, too) got in the way of just doing her business. I had a live USB of Mint 13 LTS (with Cinnamon desktop) handy, so I explained how updating works in Linux, and demoed it on her system. She liked it -- so now I'm going to set her up with dual-boot over the holidays, so she can play with it and see how well it works for her.

On a previous occasion I had been able to run a live USB Linux-based utility (Parted Magic) to reassure her that some glitches she had encountered were not signs of hardware issues, which also helped show the value of Linux.

If I had had to tinker and research for 30 minutes just to get Linux running -- and blow off a bright red "Danger! Messing with this might blow up your computer!" warning screen, as well, she would most definitely be seeing Linux as a non-viable option. And you can't blame her.

CFWhitman

Dec 19, 2012
10:30 AM EDT
I'd like to point out that I never said and don't believe that there is a problem here or even that the solutions in place are good ones. I just don't think it's fair to blame Linux distribution makers for failing to wield power that they don't actually have. This problem is mostly related to Microsoft's ability to bring pressure on OEMs based on their desktop market position, and to some degree the OEMs being willing to knuckle under to Microsoft.
Bob_Robertson

Dec 19, 2012
11:11 AM EDT
> the barriers to user migration increase exponentially.

Gasp! Could... Could that have been Microsoft's motivation all along????
jdixon

Dec 19, 2012
11:30 AM EDT
> I just don't think it's fair to blame Linux distribution makers for failing to wield power that they don't actually have.

I have to agree with that assessment. Like I said, that's the function organizations like the Linux Foundation putatively serve.
linuxwriter

Dec 20, 2012
2:20 AM EDT
@ BernardSwiss

There is nothing like a "more sensible" secure boot implementation. If you are using only Windows 8 - and that's all you would be using in a business - then you will notice nothing. The machine will just boot and will do so faster because Fast Boot is also turned on.

Members of the Linux community have made an almighty noise about GNOME 3, to the extent that even the GNOME developers - folk who rarely give a hoot about their users - have started to realise they need to provide some kind of mechanism to turn back to the way GNOME 2 worked.

Why didn't people raise a stink about secure boot? Why didn't they put pressure on the companies and the Linux Foundation to do something? After all, commercial entities are more inclined to react to a public row rather than non-profits.

And people cannot say they were unaware - last September it was known that this kind of lockdown would be implemented.

Sam
CFWhitman

Dec 20, 2012
9:34 AM EDT
Well, after seeing how much of a pain it is to install Windows 8 Pro on a machine that had Windows 8 Home just because the key saved in the firmware was a Windows 8 Home key, and the Windows 8 software refused to let you enter a different key instead of using the one in the firmware, I can foresee there being a lot of future complaints about some of the new firmware choices that these companies have made.

The difference between the relatively subdued objections to Secure Boot and the outcry raised over Gnome 3 is a lot that people were actually trying to deal with Gnome 3, but they hadn't been hit with the issues of Secure Boot yet. It's true that the Linux Foundation is mostly about supporting the interests of its members (what else would you expect with such an organization?). However, I don't think they have much clout with computer manufacturers when it comes to consumer aimed machines anyway.
caitlyn

Dec 20, 2012
2:22 PM EDT
Quoting:I'd like to point out that I never said and don't believe that there is a problem here or even that the solutions in place are good ones. I just don't think it's fair to blame Linux distribution makers for failing to wield power that they don't actually have. This problem is mostly related to Microsoft's ability to bring pressure on OEMs based on their desktop market position, and to some degree the OEMs being willing to knuckle under to Microsoft.
That pretty much sums up everything I wrote in a nice, tidy little paragraph.
Quoting: Gasp! Could... Could that have been Microsoft's motivation all along????
Those of us who said that all along were called fear mongers, remember?
Bob_Robertson

Dec 20, 2012
2:46 PM EDT
> Those of us who said that all along were called fear mongers, remember?

Not just remember, I've been called that so often I had a t-shirt made with it on it. (no, but it'd be fun to do)

I've got a long list of things I advocate that are being deliberately shut-out/demonized/marginalized/etc., most of which have nothing to do with computers.

I've been called a "conspiracy nut" by lots of different people, and worse even by folks on this board. It's fun.

The fully OpenSource Laptop looks like a great project, I hope they get their F/OSS boot ROM soon.
tracyanne

Dec 20, 2012
8:04 PM EDT
I guess people didn't really understand what "secure boot" actually meant, and, or, thought the Linux Foundation would actually do something useful.

The interesting thing is there are OEMs who are members of the Linux Foundation, and on the other hand a senior employee of the linux Foundatuion (well they do pay Linus Torvolds to oversee the Linux kernel), said it was a good thing and nothing to worry about.
jdixon

Dec 20, 2012
11:50 PM EDT
> Why didn't people raise a stink about secure boot?

Most people aren't even aware secure boot exists.
Fettoosh

Dec 21, 2012
11:01 AM EDT
Quoting:and on the other hand a senior employee of the linux Foundatuion (well they do pay Linus Torvolds to oversee the Linux kernel), said it was a good thing and nothing to worry about.


@TA,

Are you sure they weren't referring to UEFI as being a good thing? IIRC, I believe it was Linus who said that.

Note that, as @tuxchick said above, Secure Boot is MS implementation of one feature of UEFI.

Steven_Rosenber

Dec 21, 2012
4:20 PM EDT
UEFI is both good and necessary -- the "legacy" BIOS system is older than dirt. Secure boot is another, much more troubling kettle of fish.
gus3

Dec 23, 2012
4:29 PM EDT
Quoting:the "legacy" BIOS system is older than dirt.
The mistake conservatives make is to say, "This is old, therefore good."

The mistake liberals make is to say, "This is new, therefore better."

Don't you people ever read your /usr/share/games/fortune file?
tracyanne

Dec 23, 2012
6:03 PM EDT
@fettosh
Quoting:Are you sure they weren't referring to UEFI as being a good thing?


Most likely. the thing is most people don't differentiate between UEFI and "SecureBoot"
Fettoosh

Dec 24, 2012
12:41 PM EDT
Quoting:the thing is most people don't differentiate between ...


True and that is how MS gets away with so many of its devious ideas.

CFWhitman

Dec 26, 2012
9:53 AM EDT
My desktop computer at home has a UEFI based motherboard. There is no sign of Secure Boot anywhere. It seems to be a pretty good motherboard (though it was a little glitchy with the kernel in *buntu 12.04, I've had no problems with the 12.10 kernel).
flufferbeer

Dec 28, 2012
8:48 PM EDT
@fetoosh and others,

I'm quite glad that small form-factor boards like the wildly popular Raspberry Pi have completely AVOIDED the hands of M$ and its dirty UEFI/Secure Boot. Let's hope that this continues!!

2c

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!