Is Secure Boot more advance (security-wise) than BIOS or just another piece of Bloatware.
The only thing I know about secure boot is, “In order to boot a linux distro, I need to install it in secure boot mode or turn off secure boot in BIOS/EFI” 
Hi
Since it’s not a direct request for help. will move to Chit-Chat…
To the nntp folks, please wait until it’s moved 
Thread moved and opened for consumption…
Secure boot is part of the UEFI (BIOS) model It helps protect the boot chain of an OS from malware. But IMHO if malware can modify your boot chain then you are already owned. A little like locking the front door and leaving the backdoor open.
Considering the more sophisticated attacks now use your hardware directly as an assault vector (such as USB sticks, firmwares of said devices/harddrives/SSD) the ‘secure boot’ is a pretty useless gimmick.
It’s much more effective at preventing people from using their devices freely than anything else.
I blogged about this two weeks ago:
My assessment of secure-boot
Quick summary: I join the skeptics on the value of secure-boot.
On Thu 09 Apr 2015 01:26:02 PM CDT, nrickert wrote:
I blogged about this two weeks ago:
‘My assessment of secure-boot’ (http://tinyurl.com/pkfomaq)
Quick summary: I join the skeptics on the value of secure-boot.
Hi
It doesn’t really matter with physical access… But there is nothing
stopping you creating your own keys to sign everything…
Also note that some bits are disabled in the openSUSE kernel, not so in
SLE…
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
So to sum it up.
Secure boot only checks the signature of boot-loader.
If a malware is blessed with signature of a certificate, the secureboot will allow it to boot.
If the firmware / efi has bug / backdoor then also secure boot can be taken down.
The efi manufacturer might have deliberately left bacdoor for three letter organisation (in that case only FSF’s coreboot should be trusted)
Or firmware manufacturers are too lazy to fix bugs. (Again coreboot will be ahead of device manufacturers for patching bugs)
Or consumers will be lazy in applying updates. (Linux user being geeks won’t be so lazy)
Now the problem comes coreboot will be successful only if the device manufacturers collaborate with fsf. And fsf is accusing Intel of not collaborating.
In short dump Intel buy AMD
Edit: coreboot is a different project. Libreboot belongs to fsf which is based on coreboot.
Hi
This would only happen if the user self signs and/or accept the hypothetical malware keys, so again it’s a physical action on the end user. There is quite a process to go through (as well as $$ to MS) for the certification process, so very unlikely to as you put it ‘blessed’ and make it through. The end user is the one to push the button to say accept or decline the key…
It also checks the signature of the kernel. But it does not check the “initrd” nor the “grub.cfg”.
If a malware is blessed with signature of a certificate, the secureboot will allow it to boot.
It can’t be any old signature. It has to be from a certificate signed by Microsoft or by your linux vendor or imported into MokManager.
If the firmware / efi has bug / backdoor then also secure boot can be taken down.
Yes, this would be a problem. There have been some suggestions that it is easier than it should be, to insert malware into the firmware or to insert a backdoor into the firmware.
Obviously not any certificate. What if a malware is blessed with a certificate acceptable to microsoft or a Linux distro with secure boot feature.
Edit: I think so there is a cavet in this hypothesis of mine. For Linux boot loader only certificates imported by mokmanager can boot. I’m confused. Somebody enlighten me.
Yes, that’s about right.
The first stage, “shim.efi” is normally signed by Microsoft. Anything else has to be signed by a key stored in MokManager (perhaps installed with MokManager at the initial install).
For example, with my opensuse install I cannot secure-boot a ubuntu kernel unless I add needed Canonical keys to MokManager, or sign the kernel myself and add my signing key to MokManager.
Its just a standard to block linux, the creators of secure boot and UEFI should be sued
On Fri, 17 Apr 2015 06:06:01 +0000, MadmanRB wrote:
> Its just a standard to block linux, the creators of secure boot and UEFI
> should be sued
Why? They just created it, they’re not proscribing how it is to be
used. If someone uses it to lock out competition, that’s something
that’s actionable.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Fri 17 Apr 2015 03:33:02 PM CDT, Jim Henderson wrote:
On Fri, 17 Apr 2015 06:06:01 +0000, MadmanRB wrote:
> Its just a standard to block linux, the creators of secure boot and
> UEFI should be sued
Why? They just created it, they’re not proscribing how it is to be
used. If someone uses it to lock out competition, that’s something
that’s actionable.
Jim
Hi
EFI booting has been around for a long time, maybe even longer than
grub…
–
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
My own experience with this new UEFI, having just upgraded to a new board, is confusion. It took me ages to properly install windows 8, the Asus manual said nothing about GPT partitions etc and the windows installer was useless… Then trying to work out the how to dual boot on a different hard-drive was again not obvious.
The thing is I’m not new to Linux having been a user for nearly ten years now. I look at the forum for openSUSE and Kubuntu/Ubuntu and they are filled with confused users… It may be to put newbies off Windows but what about even reinstalling windows… Crazy situation and for me another reason for the introduction of open hardware… Well I’m hoping
On 2015-04-18, Penguinclaw <Penguinclaw@no-mx.forums.microfocus.com> wrote:
> My own experience with this new UEFI, having just upgraded to a new
> board, is confusion. It took me ages to properly install windows 8, the
> Asus manual said nothing about GPT partitions etc and the windows
> installer was useless… Then trying to work out the how to dual boot on
> a different hard-drive was again not obvious.
I’m not sure anyone else shares my experiences, but I found openSUSE by far gives the smoothest UEFI dual-boot (with or
without SecureBoot). GRUB2_EFI is very good and despite criticism of it being over-engineered. My only problem with it
is it sometimes the resolution options on EFI-GOP drivers are rubbish but somehow the openSUSE team have managed to
workaround it.
> The thing is I’m not new to Linux having been a user for nearly ten
> years now. I look at the forum for openSUSE and Kubuntu/Ubuntu and they
> are filled with confused users… It may be to put newbies off Windows
> but what about even reinstalling windows…
I agree. I’ve heard people say that they don’t use GNU/Linux because it’s difficult to install. And then I ask them `how
many times have you installed Windows?’
I mostly agree. It is working very well.