Posted on 05/28/2013 9:20:00 AM PDT by ShadowAce
Summary: Short synopsis of a long discussion with the UEFI Forum regarding ‘secure’ boot
We don’t always speak to figures of authority in pursuit of reform, but when we do, it is rather productive (pardon the meme). OIN is a good example of this. Last year, UEFI criticism began as a ‘feature’ of UEFI, namely ‘secure’ boot, was put to use by Microsoft, which basically misused it for anticompetitive reasons, making it hard to boot GNU/Linux.
“Security was not the main outcome of UEFI ‘secure’ boot being put in place.”The UEFI Forum got in touch with yours truly, setting up an interview for exchange of thoughts and ideas. It was productive because a consensus we reached was that ‘secure’ or Restricted Boot in UEFI has no purpose (or little purpose) other than to serve or facilitate business models of corporations, at the expense of customers. It is akin to DRM and TiVoization and it is hard to defend the inclusion of this antifeature, for reasons we covered here before . It was a one-hour conversation mostly with the president of the UEFI Forum, who is a technical and humble man. I politely made suggestions for UEFI, focusing on freedom aspects, and there was no lack of subjects to discuss (including patents). After an hour had lapsed we decided to call it a day (it was Friday night and I was already late to meet some friends at a local pub), but the mutual sentiment can be described as amicable. I accepted the invitation hoping it would lead to progress, not friction. The phone conference focused on questions pertaining to UEFI, with clear focus on the negative aspects, i.e. areas of improvement. In it were UEFI spokespersons Mark Doran, UEFI President, and Michael Krau, UEFI Forum’s Industry Communications Working Group (ICWG) Chair. A lady called Christine was there also, but she did not participate in the technical discussion; she had helped set it all up.
To summarise some of the key points, it was agreed that ‘secure’ boot only gives UEFI Forum a lot of negative publicity. Other issued were raised, but none else got the same amount of coverage, I had not prepared notes, mostly because the goal was to focus on freedom and not to deviate from that. UEFI Forum’s President was understanding. He said I was asking the right questions and did acknowledge that some of my concerns were legitimate (the conversation was recorded with consent from them, but it is not for publication).
Security was not the main outcome of UEFI ‘secure’ boot being put in place. They agreed to some degree. That’s why it was productive as a lengthy debate.
Towards the end, emanating from the conversation were the following tips and links, prepared and sent by Christine, who had also been on the conference call. She wrote:
> Thank you for taking the time to speak with us to address your questions
> regarding the UEFI Forum. If you have any additional questions or need
> information, please don’t hesitate to reach out to me.
>
>
>
> For your reference, I’m including a link to an abstract of the
> presentation
> http://www.linuxtag.org/2013/de/program/freitag-24-mai-2013.html?eventid=6
> referenced today by Mark Doran, President of the UEFI Forum, and
> delivered by Matthew Garrett at the Linux Tag conference in Berlin. The
> title of Garrett’s presentation is “Making UEFI Secure Boot Work for Linux.”
>
>
>
> During the call, Mark also suggested that you might want to view the
> repository of information pertaining to UEFI at Tianocore.org
> http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Welcome,
> a community site surrounding the open source components of Intel’s
> implementation of UEFI.
>
>
>
> And following are links to the three Intel YouTube videos Mark
> referenced about UEFI Secure Boot configuration:
>
> · Part 1 http://www.youtube.com/watch?v=eAnlhkbMang – Enabling
> & Disabling UEFI Secure Boot. Instructions for setting up a system with
> UEFI Secure Boot to dual-boot between Microsoft* Windows* 8 & Ubuntu*
> 12.10.
>
> · Part 2 http://www.youtube.com/watch?v=dwlbf1VRJ60 -UEFI
> dual-boot setup with Microsoft* Windows* 8. Instructions for setting up
> a system with UEFI Secure Boot to dual-boot between Microsoft Windows 8
> & Ubuntu 12.10.
>
> · Part 3 http://www.youtube.com/watch?v=eAnlhkbMang – UEFI
> dual-boot setup with Linux* (Ubuntu* 12.10). Instructions for setting up
> a system with UEFI Secure Boot to dual-boot between Microsoft* Windows*
> 8 & Ubuntu* 12.10.
>
>
>
> Again, thank you for your time, and please let me know if I can provide
> you with additional information.
To go along with ‘secure’ boot is to help endorse what sure has become a threat to booting freedom, not just to choice. The conference did not alter my mind in any way on this topic. The key point, as was made abundantly clear to them, is that ‘secure’ boot does a major disservice to UEFI by giving it bad reputation — an inevitability when a convicted monopolist like Microsoft perturbs UEFI for non-technical reasons. █
/johnny
You need to know this—in case I ever have a question about it—LOL!
I just had to have our techies do an end-run around this in the BIOS because so long as it was in place they could not get the machine to stop wasting 5 minutes each morning trying to boot from a non-existent CD disk.
Screw that. I'll spend my money elsewhere.
/johnny
That is also my opinion.
Good luck with that one! UEFI has been on every board manufactured since 2008. It will soon replaced the traditional BIOS, and I, for one, am excited about that.
The problem is with the actual mechanism of 'secure boot.' If you don't have the hash used to create the secure boot portion of the UEFI boot processor, you can't modify it. If you can flash your UEFI processor, you can do whatever you want to it. That's the beauty of the GNU licensing platform.
Problem is that since Win8 requires secure boot, you're stuck using it, and as I understand it, Win8 actually creates the secure boot sector on the UEFI processor and locks it. That's the ultimate issue here. Use Secure Boot all day long, but don't lock it or otherwise force us out of it. It has a purpose, but since it's been compromised and hijacked by Micro$oft, they want to get rid of it altogether.
I have zero experience with UEFI—doesn’t it have a boot order? Get rid of the CD in the boot order.
Incorrect--I bought my current machine in 2010. It does not have UEFI on it.
It had a boot order but the options were greyed out.
Could not choose any option other than Boot from CD
while the UEFI Secure Boot was still in place.
Gotcha. That truly sux,
But what do I know? I'm just an IT professional with over 30 years experience.
It might not be enabled, but it’s on there. It’s part of the integrated architectural plan used in every PCB maker’s tool shop across the world. If you don’t have it, then you’re using a mobo modified post-process by the manufacturer or an OEM using old reference layouts.
It’s not on there. I’ve checked.
What brand mobo do you have, just out of curiosity?
MSI. It’s an MSI GT680R laptop with a corei7 Quad-core CPU.
My apologies, I thought it was a desktop. I don’t believe laptop reference layouts are affected by the UEFI standard quite yet.
/johnny
Ahh—gotcha. I haven’t purchased a desktop in years.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.