[Nix-dev] [nixos] The necessity of UEFI Secure Boot

Wout Mertens wout.mertens at gmail.com
Tue May 27 07:26:11 CEST 2014


So grub doesn’t work? I thought it did?

I saw that the Surface Pro 3 is a Secure Booting UEFI device... It would
make a nice NixOS laptop :-)

Also, the Ubuntu boot loader is apparently signed by Microsoft.

Just random thoughts sorry.

Wout.
On May 26, 2014 2:44 PM, "Third3ye" <tredje0ye at gmail.com> wrote:

>  Personally I had to disable UEFI secure boot by using the "other OS"
> option... something which can cause severe problems for then again gaining
> access to the operating system, if the UEFI software completely dumps the
> KEKs. I was lucky and somehow got back in without having to resort to using
> a recovery USB stick. But I'm assuming this maybe a problem for other users
> and seeing that more and more machines are released using UEFI and Secure
> Boot I feel this needs to be addressed.
>
> Since, however, it's out of my league I can only request that it be taken
> into consideration that shim should take over as the default UEFI solution.
> If not there is another solution called rf boot... rl boot? I can't
> remember. But here are a few articles that explain that it is not only
> possible but also necessary. How we approach such a problem... well, like I
> said: out of my league.
>
> Here is a rather large article about the issue of implementing UEFI Secure
> Boot in Linux.
>
> *"The Growing Role of UEFI Secure Boot in Linux Distributions*"
>
>
> http://www.linuxjournal.com/content/growing-role-uefi-secure-boot-linux-distributions<?view=att&th=146388fa8de8cb56&attid=0.0.1.1&disp=emb&zw&atsh=0>
>
> For those of you who maybe conscerned that UEFI secure boot is challanging
> the presence of FOSS operating systems the Linux Foundation released a
> document stating why these fears are not accurate.
>
> *"Making UEFI Secure Boot Work With Open Platforms*"
>
>
> https://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf<?view=att&th=146388fa8de8cb56&attid=0.0.1.2&disp=emb&zw&atsh=0>
>
> Conclusion of the article from The Linux Foundation:
>
> *"The UEFI secure boot facility is designed to be readily usable by both
> proprietary and open operating systems to improve the security of the
> bootstrap process. Some observers have expressed concerns that secure boot
> could be used to exclude open systems from the market, but, as we have
> shown above, there is no need for things to be that way. If vendors ship
> their systems in the setup mode and provide a means to add new KEKs to the
> firmware, those systems will fully support open operating systems while
> maintaining compliance with the Windows 8 logo requirements. The
> establishment of an independent certificate authority for the creation of
> KEKs would make interoperation easier, but is not necessary for these
> platforms to support open** systems**.*
>
>
> Thank you for your concern, now back to the Wiki work...
>
> Cheers!
> Signed Third3ye
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140527/e3fe9509/attachment-0001.html 


More information about the nix-dev mailing list