back to article Secure Boot booted from Debian 9 'Stretch'

Debian's release team has decided to postpone its implementation of Secure Boot. In a release update from last week, release team member Jonathan Wiltshire wrote that “At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 'stretch" would no longer be a blocker to release. The likely, …

  1. Long John Brass
    Flame

    UEFI blows chunks

    UEFI an twitchy, unstable value free replacement for something that has worked for decades

    The number of times a machine has failed to restart or failed to install at all due to that evil pile O crap

    *grumble*

    You'll get my BIOS when you pry it out of my cold dead fingers.

    1. Ken Hagan Gold badge

      Re: UEFI blows chunks

      I'm not sure that UEFI is the same as Secure Boot. At least in some contexts, the latter simply refers to whether the kernel (Debian's in this case) is digitally signed by Microsoft (I think). It is that signing requirement that people object to, not the idea of an extensible firmware.

      If you follow the link (in the article) to the mailing list then the very next post is someone saying that UEFI will be supported in live CDs. Since live CDs usually have an "install me to your hard drive" option, it would be slightly odd if Stretch supported UEFI on the CD but not on the HD.

      1. Anonymous Coward
        Anonymous Coward

        Re: UEFI blows chunks

        It's not "digitally signed by Microsoft", but you need to obtain the needed keys, or have them in the UEFI databases. See https://www.linuxfoundation.org/sites/lfcorp/files/lf_uefi_secure_boot_open_platforms.pdf and http://www.uefi.org/sites/default/files/resources/1_-_UEFI_Summit_Deploying_Secure_Boot_July_2012_0.pdf

        Microsoft is strongly pushing to have its keys installed on every machine, and to have SecureBoot active by default, and on some systems, without the option of being disabled. But if you look at the Linux Foundation paper, you will surprisingly find they not object with this, as long as it is a customer choice (and it's not really different from what Apple does to secure its devices...)

  2. bombastic bob Silver badge
    Stop

    UEFI needs to *JUST* *DIE*

    UEFI needs to *JUST* *DIE*

    If a non-windows OS distro *MUST* comply with this jack-booted thuggery, then it's no longer "our hardware that we purchased". That's because SOMEONE ELSE has just decided FOR us how WE must 'play with our own toys'.

    1. Geoffrey W

      Re: UEFI needs to *JUST* *DIE*

      It was written by Lennart Poettering under a pseudonym, paid for by M$haft who also paid him for systemDaemon which was initially designed as a plan to engender dissension (and boils) throughout the communist world. True Fact!

    2. Anonymous Coward
      Anonymous Coward

      Re: UEFI needs to *JUST* *DIE*

      Looks to listen to a Tea Party computer group, "no government control over our PCs!!!!".

      Actually you didn't understand anything about UEFI and SecureBoot, and while wearing your tinfoil hat, you believe they are just to control your PC. Instead, protecting from the worst kind of malware, those that can infect boot files, they have a chance to better protect you from external infiltrations.

      But of course you don't trust the CAs either, and thereby back to square one. Call Ajit Pai, he could help you, probably...

    3. Anonymous Coward
      Anonymous Coward

      Re: UEFI needs to *JUST* *DIE*

      UEFI itself is fine, it's just Secure Boot that needs to die.

      1. cyberdemon Silver badge
        Devil

        Re: UEFI needs to *JUST* *DIE*

        No, the whole of UEFI needs to die. It's a bloated pile of crap. Can you tell me any useful features it adds over BIOS?

        I can tell you a few *unuseful* (and downright insidious) features: One: Intel Management Engine. As of UEFI, Intel-based chips can no longer be used in real-time systems, because the OS is effectively inside a VM, being scheduled by Intel's evil firmware. Said firmware is running a full network stack, and can intercept packets without the OS's knowledge (see Intel Anti-Theft)

        Two: Obfuscating and eliminating third-party scrutiny. It is no longer possible to have a bootloader free from Intel signed binary blobs. (secure boot or no secure boot). See https://libreboot.org/faq.html#intel

        Three: World-domination for somebody? If there are backdoors in UEFI then it has all kinds of evil implications..

        The only real *use* for UEFI is to protect the triumvirate of Intel, Apple, and Microsoft from any present/future competition.

        1. Anonymous Coward
          Anonymous Coward

          Re: UEFI needs to *JUST* *DIE*

          Intel ME and such has NOTHING to do with UEFI.

          UEFI does add features, such as boot management without resorting to another layer like GRUB. Decent PXE support without using iPXE, etc. Also having your OS being able to write to the UEFI "console" and having that automatically go to the local screen, IPMI serial redirection, etc without having to reconfigure the OS ISO to point to an emulated serial port is awesome!

          UEFI isn't tied to Intel. The same people making your old buggy BIOS is also making your new buggy UEFI, just without the last 40+ years of legacy crap that they're having to emulate.

          1. Anonymous Coward
            Anonymous Coward

            Re: UEFI needs to *JUST* *DIE*

            ... and also handy things like the Tianocore UEFI shell, which can come in really handy and do things like configure hardware (CNEs, RAID controllers, etc) before the OS. UEFI GOP support, which is used heavily by FreeBSD's bhyve hypervisor, etc.

            1. Geoffrey W

              Re: UEFI needs to *JUST* *DIE*

              All right, all right, that goes without saying; but...What else has UEFI done for us?

        2. dns53

          Re: UEFI needs to *JUST* *DIE*

          There are quite a few advantages over a bios.

          One of the main things it is an actual documented system and not a system that relies on an undocumented hack that works most of the time or at-least until someone like adobe copy protection breaks your boot.

          There is a TCP/IP stack in UEFI and it is now possible to boot an iso image over HTTP by adding a boot entry.

          There are some cool things like graphical boot menu's such as refind.

          There is python, lua and a shell environment so you can do stuff without having an operating system.

          1. Anonymous Coward
            Anonymous Coward

            Re: UEFI needs to *JUST* *DIE*

            The MBR install process was fraught with complexity too, it's just more familiar for most of us. I tried switching to UEFI boot for the first time the other week, everything worked first time. The boot process is quicker too (not that it matters on a server).

  3. Field Commander A9

    Most Linux distros are such flimsy OSes..

    that almost nobody would use them if they weren't free.

    ('cept for RHEL and SLES, which are actually solid)

    1. Anonymous Coward
      Linux

      Re: Most Linux distros are such flimsy OSes..

      That must be the reason, most of the worlds mobile devices run on Android. The same Android that Microsoft is extorting revenue from the Android handset makers and after the failure of it's own mobile business, develop apps for Android devices. Without their monopoly on the desktop, you literally couldn't give VistaXP away.

      Is this you link

      1. handleoclast

        Re: Most Linux distros are such flimsy OSes..

        Damn you for posting that link. I'd managed to forget that video. Now it's back in my head and I don't have any mind bleach.

        If I had a body that looked like that, the last thing I'd do would be to make a spectacle on stage drawing people's attention to it. Hmmmm, I do have a body like that, which is why I avoid running around whooping like a loon drawing attention to myself.

        On the intertubes, nobody knows you look like Ballmer.

      2. Anonymous Coward
        Anonymous Coward

        Re: Most Linux distros are such flimsy OSes..

        The real reason? Linux is free, most of the tooling too, and you don't have to invest much money to build something upon it. That's the only reason why Linux became so widespread. If it costed even $10 a license, nobody would have used it - because it uses an outdated architecture and is full of usability issues. That's why as a desktop OS it never went anyway.

        1. Anonymous Coward
          Linux

          Linux uses an outdated architecture :)

          "nobody would have used it - because it uses an outdated architecture and is full of usability issues" .. unquote ...

          Ubuntu 3D Desktop

          Best Linux Distros for Gaming in 2017

          SteamOS vs Windows - Gameplay Shoot-Out

          Top 10 Most Awesome Linux Games

        2. Anonymous Coward
          Anonymous Coward

          Re: Most Linux distros are such flimsy OSes..

          Erm, It's updated and maintained by enthusiasts, experts, and probably some purist nerds.

          Its generally very good.

          The downside is that their labours are to a greater extent voluntary, free, and generate differing approaches to certain problems (hence multiple distro's)

          I certainly would not have the cheek to describe it as flimsy or outdated. Indeed look at your Microsoft windows installation change over the last 15 years, many of the folder structures have morphed into those used by Linux (or at least unix).

          For my part, I want to buy a CPU - end of. I don't want to have to choose a Windows CPU, a Linux CPU, a Solaris CPU, or a Rasbian CPU, etc because each vendor has a beef with "secure" boot. This exceeds the idea of security and becomes, vendor specific boot, or pay me enough and you may boot (not great for a volunteer led platform) This is not security, its blatant commercial blackmail by nuking competition.

          I use, and have used, many operating platforms, all have pro's and con's but I certainly don't want the anti-competitive full-stack model across the PC industry. It WILL NOT be good for advancing technology into the future.

    2. keithpeter Silver badge
      Coat

      Cores - Re: Most Linux distros are such flimsy OSes..

      @Field Commander A9

      What do you suggest people use on larger machines? Perhaps something like this...

      http://www.sns.ias.edu/computing/hyperion_cluster/overview

      ...or the machines that run Google, Facebook and all the rest of the Interweb.

  4. Anonymous Coward
    Anonymous Coward

    Security enhancements ?!

    Like those spyware add-on that happily survive OS reinstall ? Like preventing you from installing anything that Microsoft doesn't fancy ? Developers and users disappointed ? Disappointed by what, being locked-in ? Hello!

    1. phuzz Silver badge
      Boffin

      Re: Security enhancements ?!

      The point of secure boot is that when it's implemented correctly, your OS won't boot unless every part of the boot process is signed by keys which live in the EFI of your motherboard.

      Microsoft have made sure that basically every motherboard includes their own keys, but most motherboards will allow you to add (and remove) your own keys. This does mean that you'll have to do your research before buying hardware, but you were already, right?

      So, that spyware that survives a reboot that you're worried about? With secure boot you can make sure that it cannot inject itself into your boot process.

  5. frank ly

    Debut

    I've been running Stretch for a month now and I'm very happy with it. I recommend you try the RC netinstall installation. I do a manual update every week and that will merge me seamlessly into the official release when it happens. After running Mint for four years, the transition was painless. It doesn't have the hand-holding Software Manager but I don't need that anymore.

  6. PNGuinn
    Trollface

    UEFI secure boot booted from Debian 9

    So?

    Who needs Secure Boot when you've got systemd?

    1. Chika
      Pint

      Re: UEFI secure boot booted from Debian 9

      Very droll.

  7. zhsysnova

    Why not use Ubuntu UEFI/secure boot code

    Ubuntu has supported UEFI/secure boot for years, so why don't Debian devs just use their solution? It's all free software. Why reinvent wheels?

  8. Norman Nescio Silver badge

    UEFI and Secure Boot

    UEFI and Secure Boot are two different things. UEFI (if implemented according to the open specification) enables Secure Boot, but, afaik, doesn't mandate it. In fact, very little is mandated by the UEFI specification, which some people think is a shame, and a lost opportunity to get a little more standardisation into the insanity that is the boot process across a lot of systems (UEFI is not just for PCs).

    One of the points about UEFI is that instead of writing some code to the 440 bytes available in the MBR then finding more space somewhere on the disk that you can shoehorn some more code into (there is no standard for this), that won't be stomped on by the next OS to install on the same HD, you have an entire partition with a known filesystem and structure dedicated to boot code.

    Please don't confuse the crappy implementations of UEFI found on many (most?) PCs these days with what it is actually capable of.

    Secure Boot is mainly about the availability and management of signing keys and deciding who you trust.

    However, if you can keep using BIOS booting on your hardware, there's no good reason to change, unless you like to try new things for the sake of it. UEFI has some good features, but if BIOS is good enough for your purposes, stick with it. This isn't a holy war.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like