Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Fri, 02 Nov 2012 10:17:21 -0400 Jerry Feldman <gaf at blu.org> wrote: > The bottom line here is that UEFI will prevent some Linux users from > installing Linux, especially in the near future. I suspect that all No, it will not. Anyone who tells you otherwise is either lying or has bought into the anti-Microsoft propaganda. There is no truth to the claim that UEFI Secure Boot will lock users out of running the OS of their choice. If you buy x86 hardware with the Windows 8 sticker then it MUST be possible to disable UEFI Secure Boot. Microsoft will not allow the manufacturer to ship the hardware with Windows 8 otherwise. I keep hearing about how manufacturers will "forget" to include the option. No, they won't forget, or they'll correct it with a hotfix, because if they forget and don't fix then Microsoft will pull their Windows 8 certifications and the OEMs don't get to ship Windows 8 until they undergo the certification process again. If you buy x86 hardware without the Windows 8 sticker then it won't have UEFI Secure Boot enabled or it will be a switch for specific operating systems that have signed boot loaders. In none of these cases does UEFI Secure Boot prevent the installation and operation of the OS of your choice. In the case of ARM hardware that ships with Windows 8, which is Windows Phone and Surface/RT, you can't run Linux on any of it anyway due to lack of hardware support. UEFI Secure Boot has nothing to do with that. > major distros will be able to install on a UEFI system with very > little user interaction. However, we also need to gain some knowledge > so that when we do encounter UEFI at installfests, we know what to do. I am writing this right now on a Dell (Alienware) notebook running Windows 7. The system firmware has UEFI Secure Boot which Windows 7 does not recognize. I use a Clonezilla live USB image to perform backups with this firmware on the system. I sometimes try out new Linux live CD spins on it. None of these recognize or support UEFI Secure Boot and none of them are blocked by it. Why? Because it's turned off. You shut it off in the EFI configuration screen. That's it. Press whatever key sequence during POST, shuffle over to the appropriate settings tab, and set it to "OFF". Save and reboot. Do the same thing on servers -- although why you'd buy a server with Windows 8 on it is beyond me. The Windows 8 trust chain runs from the firmware all the way up through the kernel going multi-user (maybe further; I'm not sure about that). Each step of the startup process validates the signature on the next step before executing it. Linux has no such trust chain so there's no point to having UEFI Secure Boot enabled on Linux computers. Just turn it off. In the oddball case where you need Secure Boot and you can't use one of the Big Three-provided signed boot loaders then install your own certificates in the UEFI protected storage and use that to sign your otherwise standard boot loader. The example that I'm looking at requires three commands with the Windows 8 SDK (because if you're even looking at this option then you have Windows 8) to generate the certificates and one to sign an EFI executable. Installing the certs from the EFI shell is a simple process: Enroll KEK, Enroll PK. Copy the self-signed EFI loader to the correct place and you're done. -- Rich P.
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |