Secure boot: Microsoft shows up Linux

IT Wire ^ | 14 December 2012 | Sam Varghese

[ShadowAce]

It's early days for secure boot, the new method that Microsoft is using to protect its desktop turf, but it would not be unfair to say that the company has succeeded in showing up the sharply fragmented nature of GNU/Linux.

Secure boot is a feature in the Unified Extensible Firmware Interface, the replacement for the motherboard firmware or BIOS. It has been implemented by Microsoft in a manner that effectively prevents easy booting of other operating systems on machines which have secure boot enabled.

An exchange of cryptographic keys takes place at boot-time so that a system can verify that the operating system attempting to boot is a genuine one, and not malware. There are further key exchanges along the way. Since Microsoft controls the key-signing authority, everyone who wishes to boot an operating system on hardware certified for Windows 8 has to buy a Microsoft key.

The fact that secure boot would be used in Windows 8 was known last September. The ideal solution would have been for all the Linux distributions, plus other companies that depend on Linux for their profits, to band together under the Linux Foundation and use their combined clout to influence things with hardware vendors.

Instead, the distributions have been unable to do anything except to work separately to devise solutions to cope with the technology. The bigger distros - Red Hat, Ubuntu and SUSE - have each devised their own methods of getting their operating systems to boot on machines with secure boot. The biggest free distribution, Debian, has still not said publicly what it will do.

The smaller distributions will probably have to depend on an act of charity to get their systems working on secure boot systems.

That act of charity has come from kernel developer Matthew Garrett who has created a shim or first-stage bootloader, and obtained a cryptographic key from Microsoft, for the purpose of signing it, with his own money. Using this, the smaller distributions can follow a procedure which he has outlined to cope with the barrier of secure boot.

When it became evident that the Linux companies would take an each-man-for-himself attitude, the Linux Foundation came up with an idea similar to that which Garrett has implemented.

The difference is that it has, thus far, failed to overcome the bureaucracy within Microsoft's ranks and complete the procedure. Garrett has been able to do what the Foundation, which blows its own trumpet quite a lot within restricted circles, could not do.

A pretty simple ploy would have been for the so-called Linux community - it looks like a collection of disparate tribes at times like this - to use the media, and the clout that it enjoys by virtue of the widespread use of the kernel in businesses, to put the onus on hardware vendors to co-operate in devising a solution. Many media outlets are sympathetic to Linux and never write a negative word about it.

But when it comes to using the media, the Linux community is in grade 1. Or probably in kindergarten. It works in a highly insular manner, preaching to the converted, and forgetting that there is a vast, thirsty audience out there, looking for good computing software.

It is not as though there is no talent in the ranks of the Linux community to come up with a solution and an elegant one at that.

Back in 2005, when the kernel project faced a crisis after Larry McVoy, the owner of the proprietary source code management system used by Linus Torvalds, said he was withdrawing the use of the free version of the system, Torvalds himself came up trumps with a SCM system called git, which was knocked together in next to no time. A few others, all talented individuals, put their hands to the wheel as well and there was barely a hiccup in the development process.

But that was then. This is now, when there is more than just a touch of arrogance in Linux circles because of the way usage has grown. Never mind that Linux is barely a whisper on the desktop, it dominates several other spaces. Why Linux people even feel proud that Android is dominating the mobile arena, forgetting that the only truly free element in that system is the kernel.

Secure boot has exposed the Linux community as a fractured entity that cannot pull together. It has inconvenienced ordinary people who often take up use of the system after testing out a downloaded CD. At the moment only one CD can be used on a Windows 8 computer with secure boot - Ubuntu 12.10 64-bit. And there are more than 300 distributions.

True to form, even the fact that this Ubuntu CD would boot on Windows 8 certified machines was never widely disseminated. Once again, it can only be put down to sheer arrogance - after all the whole world knows about Linux, so they should know that fact too, shouldn't they?

You'd have to wonder - when will people ever learn?

[ArrogantBustard]

MS and windows are still pretty well much a toy as far as real computing goes,

Show me the Linux version of SolidWorks.

[Bidimus1]

I work with both MS and Linux. In game terms they are Lawful evil and Chaotic evil ;)

Yes Linux as a desktop normal office/home user setup is Clunky
how ever as a backbone and server platform it is quite solid.

One proof against liunx etc ever being a serious threat to MS at the desktop is that MS never bought a ver and marketed it like they do with almost everything else the is a valid competitor

[ArrogantBustard]

Well ...

If Dassault ever ports SolidWorks to Linux, I’m headed over to “Chaotic Evil” ...

[2 Kool 2 Be 4-Gotten]

So - let’s see if I can say this right.

Will this signed booting thing - only apply to computers that come with Windows preinstalled? Like a Dell, or a Lenovo, or an HP or whatever?

What if you just buy a motherboard? Or a “bare-bones” rig?

Sure people are fond of breathing new life into old windoze systems by loading linux on them. But many, many other systems are purpose built for linux and have never had windoze on them - ever. Will the signing virus apply in this case?

[ShadowAce]

Will the signing virus apply in this case?

Yes, it will. The whole thing is in firmware--looking specifically for a valid signed certificate--which is only available (at this time) from MS.

[Varmint Al]

Firmware can be re-flashed. I see a growing market for alternate firmware. I run FEA software and Windows XP pro works very well. My current computer is 18 times faster than a $10 million Cray 1 that I used a long time ago at LLNL.

Good Hunting... from Varmint Al

[EricT.]

Many PACS (Picture Archiving and Communication Systems) , which are used in the medical industry to manage digital diagnostic images are based on Linux. These are highly relied on, highly stable, and highly secure. The same goes for the operating systems for many different imaging modalities such as Digital Radiography, Digital Mammography, MRI, etc.

It’s been a while since you’ve even looked at a Linux system, hasn’t it?

BTW, just this morning, I was adding a remote doctor’s viewing laptop to one of the Linux-based PACS I deal with. It is one of the easiest to use systems I’ve come across in years.

[AdmSmith]

I can’t imagine anyone wanting to use Linux in any serious application.

Market Share for Top Servers Across All Domains
Apache 55.70%
Microsoft 17.61%
nginx 12.07%
Google 3.45%
http://news.netcraft.com/archives/2012/12/04/december-2012-web-server-survey.html

[TexasRepublic]

As long as the Chinese make motherboards, you can bet on finding some that don’t implement Secure Boot. They don’t intend to be held hostage to Windows any more than we do. So, my future boxes may be Beige instead of Dell.

[TNoldman]

see post 32 -

I work with both MS and Linux. In game terms they are Lawful evil and Chaotic evil ;)

Yes Linux as a desktop normal office/home user setup is Clunky
how ever as a backbone and server platform it is quite solid.

One proof against liunx etc ever being a serious threat to MS at the desktop is that MS never bought a ver and marketed it like they do with almost everything else the is a valid competitor

[ShadowAce]

I read that.

However, it is wrong. I use Linux exclusively as a desktop--both at home and at work (in a Windows-centric environment). No one I work with can tell the difference.

One proof against liunx etc ever being a serious threat to MS at the desktop is that MS never bought a ver and marketed it like they do with almost everything else the is a valid competitor

The major flaw in your argument is that MS has never done that with an OS--applications, sure, but never with an OS.

The reason for that is that once people see that a superior OS exists without the MS lockin, Windows would die.

[2 Kool 2 Be 4-Gotten]

Another point is - the rise of the Macbook ****’s in the corporate environment. At the Fortune 500 company where I work, it used to be all PC laptops. Now the majority are Macbook somethings. Really. I run Fedora on a Lenovo Thinkpad and it works great. But since the corporate ecosystem these days must support Macbooks, then all the critical functions are just as easily doable from linux. Even if it means firing up a VM for certain tasks.

In other words - BYOD is now the effective rules on the ground. And this alone will allow linux to flourish.

[AFPhys]

I ABSOLUTELY, WILL NOT even consider buying a computer that does not have dual boot capability.

[grwcfl537]

Is it a mountain or a molehill?

Should probably do away with the political correctness and call it what it really. It is Microsoft boot time copy protection

Mel

[martin_fierro]

[cothrige]

The author of this article seems convinced that the Linux community is deficient because it has not joined together to pay Microsoft for the privilege of being allowed to operate. That sounds to me like a rather ridiculous suggestion. I would hate to see anybody pay even so much as a dollar to Redmond in this case. Rather, wait for the release of the machines and pay lawyers instead. I may not like them either, but at least that isn’t paying extortion money, and it benefits the community more as well.