You are not logged in.

#1 2015-03-21 12:11:48

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,222

Upcoming issues for secure boot and arch installs

I came across this rather worrying article indicating that when Microsoft starts approving hardware for Window 10 machines they may not allow secure boot to be turned off, and thereby make it very difficult for users to install arch on such a machine unless it can be booted using secure boot:

http://arstechnica.com/information-tech … a-reality/

I suppose at some point there will need to be a method of getting the appropriate certificates for arch to allow booting on machines using secure boot.


Mike C

Offline

#2 2015-03-21 13:07:12

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Upcoming issues for secure boot and arch installs

Not an installation issue.  Moving to GNU/Linux discussion.

But in reality I'm not sure how this is anything at this point.  Either this will happen or it won't.  If it does, just don't buy that hardware.  Archlinux cannot be installed on all hardware, so this will just be new hardware that is not compatible with arch - or any linux for that matter.  If MS gets windows to run on a kerosene powered cheese grater, then good for them - I will not worry about arch being "locked out" - I'll just opt for sane hardware.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2015-03-21 13:27:28

mychris
Member
From: Munich
Registered: 2012-09-15
Posts: 68

Re: Upcoming issues for secure boot and arch installs

I've heard the systemd guys are working on integrating secure boot with systemd and gummiboot. So you might be able to sign everything yourself and secureboot your GNU/Linux/Systemd machine.

But currently I don't know anything about it and don't care about it. Like trilby said, if I'm not able to use a specific hardware I will not use it.

Offline

#4 2015-03-21 16:10:53

bromanbro
Member
Registered: 2015-03-01
Posts: 7

Re: Upcoming issues for secure boot and arch installs

If someone doesn't allow Secure Boot to be disabled via BIOS, then they'll suffer sales wise (how much, who knows).

However, I doubt all vendors will disable that option, so it won't be a huge problem imo.


Also Dell does sell specific Ubuntu PCs.

Offline

#5 2015-03-21 16:27:46

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,222

Re: Upcoming issues for secure boot and arch installs

mychris wrote:

I've heard the systemd guys are working on integrating secure boot with systemd and gummiboot. So you might be able to sign everything yourself and secureboot your GNU/Linux/Systemd machine.

But currently I don't know anything about it and don't care about it. Like trilby said, if I'm not able to use a specific hardware I will not use it.

Sure I won't buy hardware that I can't install Arch on - but what is a potential problem is if OEMs are forced into only selling locked hardware if they wish to sell it with Windows on it in the future - that would give MS a monopoly position - and for laptops it is not so easy to find hardware that is free of MS apart from a limited range of laptops that have Ubuntu installed when supplied (and of course IOS and chromeos based machines). For desktops it is not too difficult to buy components or barebones systems that you can customise and install whatever you like on - but laptops don't generally fall into that option range.  I do have to keep Windows for some tasks that it is close to impossible to do without Windows (like satnav updates for example) though it principle a VM could be used with Windows on it. It is a shame that for this kind of task there isn't a linux alternative that avoids Windows altogether! It would be nice to find barebones laptops that you can install any OS of choice on with none on the machine at the time of purchase.

I know this argument was discussed at length before Secure Boot appeared in the machines that are on the market now - and at the time I thought that the basic principle of not having one O/S manufacturer monopolising the market and excluding other O/Ses had been established and expected to continue along this path - but the news item indicates that a significant departure from that policy may now take place over the next year or two. Giving users the option to disable Secure Boot has no impact on the security of the Windows O/S on a particular machine unless the user actively disables it but that should remain the user's choice. The only reason to lock down the BIOS in this way is to attempt to close off competition to Windows. In a true free market there should be hardware that is not so locked - or at least have as much choice of hardware that is not incumbent on control from MS. There are worries that the BIOS is vulnerable to firmware hacking but that could in principle happen even if the Secure Boot option is designed to have no user control to turn it off.  Maybe devices that will re-flash the BIOS with one that does allow Secure Boot will be developed - I seem to remember that some machines are "operated on" during delivery to customers in that kind of way to install firmware components that are not in place at manufacture - so that kind of technology already exists.

It will no doubt be interesting to see how this plays out over the next couple of years.

Edit:  I guess if it comes to the crunch that people will start to play with the information such as at https://wiki.archlinux.org/index.php/Un … ecure_Boot

Last edited by mcloaked (2015-03-21 17:00:28)


Mike C

Offline

#6 2015-03-21 18:54:30

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Upcoming issues for secure boot and arch installs

You boot it to windows and the malware will still mess up the bootloader or at least makes sure that it can still reload itself again.

Last edited by nomorewindows (2015-03-21 18:55:24)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#7 2015-03-21 19:00:18

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Upcoming issues for secure boot and arch installs

mcloaked wrote:

It would be nice to find barebones laptops that you can install any OS of choice on with none on the machine at the time of purchase.

As you are also in the UK, you will find this site useful:
http://www.pcspecialist.co.uk/

I have purchased from them and their service & customer support is first rate.

Offline

#8 2015-03-21 19:01:56

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Upcoming issues for secure boot and arch installs

nomorewindows wrote:

You boot it to windows and the malware will still mess up the bootloader or at least makes sure that it can still reload itself again.

You mean the malware that's shipped with the hardware or ...?

Last edited by karol (2015-03-21 19:02:18)

Offline

#9 2015-03-21 19:04:46

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Upcoming issues for secure boot and arch installs

karol wrote:
nomorewindows wrote:

You boot it to windows and the malware will still mess up the bootloader or at least makes sure that it can still reload itself again.

You mean the malware that's shipped with the hardware or ...?

Well we'll just slip some malware right into the SecureBoot implementation or maybe even Windows itself.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#10 2015-03-21 19:13:35

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Upcoming issues for secure boot and arch installs

nomorewindows wrote:

Well we'll just slip some malware right into the SecureBoot implementation or maybe even Windows itself.

I'm not really clear on what you are saying.  But I'm pretty sure it runs counter to our guidelines.  Feel free to criticize, but stick to substantiated claims, not speculation or baseless accusations.

EDIT: I may have misunderstood some context and intent - so please don't see this as any finger pointing.  The reminder of our policy is still worth noting for everyone in this discussion.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#11 2015-03-21 19:30:23

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Upcoming issues for secure boot and arch installs

Offline

#12 2015-03-21 20:52:35

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Upcoming issues for secure boot and arch installs

karol wrote:

It's just a racket isn't it?  I use Linux and I don't even need Secure Boot, and I rarely encounter malware.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#13 2015-03-21 21:20:40

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,222

Re: Upcoming issues for secure boot and arch installs

Head_on_a_Stick wrote:
mcloaked wrote:

It would be nice to find barebones laptops that you can install any OS of choice on with none on the machine at the time of purchase.

As you are also in the UK, you will find this site useful:
http://www.pcspecialist.co.uk/

I have purchased from them and their service & customer support is first rate.

Thank you for that link - I had not come across this supplier but looking at their available machines they look like a nice set of options.

By the way it also looks like the original issue in this thread was also flagged in another thread at https://bbs.archlinux.org/viewtopic.php … 6#p1513066

Last edited by mcloaked (2015-03-21 21:24:05)


Mike C

Offline

#14 2015-03-22 23:06:31

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Upcoming issues for secure boot and arch installs

mcloaked wrote:
mychris wrote:

I've heard the systemd guys are working on integrating secure boot with systemd and gummiboot. So you might be able to sign everything yourself and secureboot your GNU/Linux/Systemd machine.

But currently I don't know anything about it and don't care about it. Like trilby said, if I'm not able to use a specific hardware I will not use it.

Sure I won't buy hardware that I can't install Arch on - but what is a potential problem is if OEMs are forced into only selling locked hardware if they wish to sell it with Windows on it in the future - that would give MS a monopoly position - and for laptops it is not so easy to find hardware that is free of MS apart from a limited range of laptops that have Ubuntu installed when supplied (and of course IOS and chromeos based machines). For desktops it is not too difficult to buy components or barebones systems that you can customise and install whatever you like on - but laptops don't generally fall into that option range.  I do have to keep Windows for some tasks that it is close to impossible to do without Windows (like satnav updates for example) though it principle a VM could be used with Windows on it. It is a shame that for this kind of task there isn't a linux alternative that avoids Windows altogether! It would be nice to find barebones laptops that you can install any OS of choice on with none on the machine at the time of purchase.

I know this argument was discussed at length before Secure Boot appeared in the machines that are on the market now - and at the time I thought that the basic principle of not having one O/S manufacturer monopolising the market and excluding other O/Ses had been established and expected to continue along this path - but the news item indicates that a significant departure from that policy may now take place over the next year or two. Giving users the option to disable Secure Boot has no impact on the security of the Windows O/S on a particular machine unless the user actively disables it but that should remain the user's choice. The only reason to lock down the BIOS in this way is to attempt to close off competition to Windows. In a true free market there should be hardware that is not so locked - or at least have as much choice of hardware that is not incumbent on control from MS. There are worries that the BIOS is vulnerable to firmware hacking but that could in principle happen even if the Secure Boot option is designed to have no user control to turn it off.  Maybe devices that will re-flash the BIOS with one that does allow Secure Boot will be developed - I seem to remember that some machines are "operated on" during delivery to customers in that kind of way to install firmware components that are not in place at manufacture - so that kind of technology already exists.

It will no doubt be interesting to see how this plays out over the next couple of years.

Edit:  I guess if it comes to the crunch that people will start to play with the information such as at https://wiki.archlinux.org/index.php/Un … ecure_Boot

I've tried using VB as a PXE client for Arch, and VB keeps blowing up.  It's better if you just run it straight.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#15 2015-03-23 21:47:56

Odaer
Member
Registered: 2010-08-14
Posts: 87

Re: Upcoming issues for secure boot and arch installs

bromanbro wrote:

If someone doesn't allow Secure Boot to be disabled via BIOS, then they'll suffer sales wise (how much, who knows).

However, I doubt all vendors will disable that option, so it won't be a huge problem imo.


Also Dell does sell specific Ubuntu PCs.

You are able to boot Ubuntu with secure boot enabled. It should be possible for DELL  to sell secure  boot only computers with ubuntu.


With a unsigned linux dist as Arch, as I see it, this is only a problem if you want to dual boot with windows. If you don't have windows you should still be able to inactivate the secure boot? If some manufacturers remove the possibility to shut of the secure boot, buy another brand. This decision is up to the manufacturer of the computer, I don't see how MS is involved with this at all.

Last edited by Odaer (2015-03-23 21:53:55)

Offline

#16 2015-03-24 01:18:06

Buddlespit
Member
From: Chesapeake, Va.
Registered: 2014-02-07
Posts: 501

Re: Upcoming issues for secure boot and arch installs

Odaer wrote:

This decision is up to the manufacturer of the computer, I don't see how MS is involved with this at all.

What MS is proposing is a secure boot that cannot be disabled.

Offline

#17 2015-03-24 07:38:59

Odaer
Member
Registered: 2010-08-14
Posts: 87

Re: Upcoming issues for secure boot and arch installs

Buddlespit wrote:
Odaer wrote:

This decision is up to the manufacturer of the computer, I don't see how MS is involved with this at all.

What MS is proposing is a secure boot that cannot be disabled.


As I understands it they remove the requirement it should be possible to disable it, they don't forbid a option to disable it? I think it is still up to the manufacturers if they have the feature or not? But if you have the possibility and disable it, windows is not going to boot so the possibility to dual boot with a not signed system is gone?

Last edited by Odaer (2015-03-24 11:03:13)

Offline

#18 2015-03-24 08:22:11

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Upcoming issues for secure boot and arch installs

It's expensive but this is a possible solution:
http://shop.gluglug.org.uk/product/libr … n-service/

Offline

#19 2015-03-24 10:12:25

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,222

Re: Upcoming issues for secure boot and arch installs

Head_on_a_Stick wrote:

It's expensive but this is a possible solution:
http://shop.gluglug.org.uk/product/libr … n-service/

It's a possible solution for the very limited range of laptops that they include in their service.  It would certainly be nice if there was a way to either amend the existing BIOS settings in many other machines, or have the ability to install a BIOS that was free of proprietary limitations. Libreboot is a nice piece of work but it isn't available for a significant range of machines.  For the most part the majority of people buying a laptop or desktop have little option but to accept the way the BIOS is set up at the time of buying the machine.  Of course for anyone building their own machine as barebones it is likely not to have a secure boot lock restriction. One of the machines that I am interested in is a fanless Broadwell Intel NUC, that could form the basis of a pretty capable desktop replacement especially with i7 versions becoming available later this year.  As an Arch machine that could have very reasonable performance.  Later when the Skylake series of motherboards is released that might be even more interesting!

Can one get a Broadwell laptop that is barebones with no O/S installed at this time?  That would be something worth exploring for Arch users.


Mike C

Offline

#20 2015-03-24 10:28:40

kokoko3k
Member
Registered: 2008-11-14
Posts: 2,390

Re: Upcoming issues for secure boot and arch installs

I'm a total noob when it comes to secure boot related things, so please excuse the probably stupid question.
Is it possible to self sign a kernel, or even better the bootloader to get past SB?

Last edited by kokoko3k (2015-03-24 10:29:07)


Help me to improve ssh-rdp !
Retroarch User? Try my koko-aio shader !

Offline

#21 2015-03-24 10:44:31

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,222

Re: Upcoming issues for secure boot and arch installs

kokoko3k wrote:

I'm a total noob when it comes to secure boot related things, so please excuse the probably stupid question.
Is it possible to self sign a kernel, or even better the bootloader to get past SB?

It is not a stupid question at all.  There is some information at http://www.rodsbooks.com/efi-bootloader … eboot.html if you scroll down to the section "Using a Signed Boot Loader" there is some useful info.


Mike C

Offline

#22 2015-03-24 10:59:16

Buddlespit
Member
From: Chesapeake, Va.
Registered: 2014-02-07
Posts: 501

Re: Upcoming issues for secure boot and arch installs

Odaer wrote:
Buddlespit wrote:
Odaer wrote:

This decision is up to the manufacturer of the computer, I don't see how MS is involved with this at all.

What MS is proposing is a secure boot that cannot be disabled.


As I understands it they remove the requirement it should be possible to disable it? I think it is still up to the manufacturers if they have the feature or not? But if you have the possibility and disable it windows is not going to boot so the possibility to dual boot with a not signed system is gone?

What MS is saying is that if the manufacturer doesn't leave a switch, then the computer in question becomes a 'Windows 10 Certified' system. That appears to be the holy grail in manufacturing. I don't think anyone but the 1.5% of the computer using community would care if the computer system was 'Linux Certified'. The buzz today on tech sites is Windows 10, not Linux 4.0 or Nvidia TitanX or Plasma 5.

Offline

#23 2015-03-24 11:28:13

mcloaked
Member
From: Yorkshire, UK
Registered: 2012-02-02
Posts: 1,222

Re: Upcoming issues for secure boot and arch installs

Buddlespit wrote:
Odaer wrote:
Buddlespit wrote:

What MS is proposing is a secure boot that cannot be disabled.


As I understands it they remove the requirement it should be possible to disable it? I think it is still up to the manufacturers if they have the feature or not? But if you have the possibility and disable it windows is not going to boot so the possibility to dual boot with a not signed system is gone?

What MS is saying is that if the manufacturer doesn't leave a switch, then the computer in question becomes a 'Windows 10 Certified' system. That appears to be the holy grail in manufacturing. I don't think anyone but the 1.5% of the computer using community would care if the computer system was 'Linux Certified'. The buzz today on tech sites is Windows 10, not Linux 4.0 or Nvidia TitanX or Plasma 5.

So it does look like researching how to deal with secure boot for booting Arch might be a useful investment of time?


Mike C

Offline

#24 2015-03-24 12:17:25

kokoko3k
Member
Registered: 2008-11-14
Posts: 2,390

Re: Upcoming issues for secure boot and arch installs

mcloaked wrote:
kokoko3k wrote:

I'm a total noob when it comes to secure boot related things, so please excuse the probably stupid question.
Is it possible to self sign a kernel, or even better the bootloader to get past SB?

It is not a stupid question at all.  There is some information at http://www.rodsbooks.com/efi-bootloader … eboot.html if you scroll down to the section "Using a Signed Boot Loader" there is some useful info.

Thank you for the link.
It seems that using a pre-signed PreLoader (available to download) is the easiest way to boot whatever you like.
So, as long as i've not misunderstood, i don't see what the problem is...


Help me to improve ssh-rdp !
Retroarch User? Try my koko-aio shader !

Offline

#25 2015-03-24 21:07:39

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Upcoming issues for secure boot and arch installs

mcloaked wrote:

Can one get a Broadwell laptop that is barebones with no O/S installed at this time?

http://www.pcspecialist.co.uk/notebooks/lafite/

Isn't she beautiful?
big_smile

Offline

Board footer

Powered by FluxBB