UEFI BIOS

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

UEFI BIOS

Matt S-5
Has anyone been following Microsoft's recent attempts to muscle OEMs into
using the secureboot feature of UEFI or is this just a load of media hot air?
 Are there any plans for OpenBSD to support UEFI?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

LeviaComm Networks NOC
On 01-Oct-11 13:40, Matt S wrote:
> Has anyone been following Microsoft's recent attempts to muscle OEMs into
> using the secureboot feature of UEFI or is this just a load of media hot air?
>   Are there any plans for OpenBSD to support UEFI?
>
> Thanks
>

First off, the UEFI boot will *not* prevent other OS's from booting, it
will only pop up a message saying that the boot process was not secure,
just like how you can run unsigned code and it will only pop up a box
stating as much.  It would be impossible to prevent an 'insecure' OS
from booting since that would prevent you from booting a newer version
of the Windows Installer.  Ideally UEFI would post a warning stating
that the OS signature is not on the list and allow you to add it.

OpenBSD already runs on UEFI/EFI systems (The Macintosh platforms and
others) so if the boot loader doesn't currently support UEFI, it
wouldn't take long to do.

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

john slee
On 2 October 2011 08:03, LeviaComm Networks <[hidden email]> wrote:
> First off, the UEFI boot will *not* prevent other OS's from booting, it
will
> only pop up a message saying that the boot process was not secure, just
like
> how you can run unsigned code and it will only pop up a box stating as
much.
>  It would be impossible to prevent an 'insecure' OS from booting since that
> would prevent you from booting a newer version of the Windows Installer.
>  Ideally UEFI would post a warning stating that the OS signature is not on
> the list and allow you to add it.

... would it?  I should think that they could simply sign the new installer
with the existing keys.  OTOH it's quite possible that someone will extract
the private key(s) from the hardware, too.  It already happened for Apple's
Airport Express, no?

On balance, I really don't think this is worth the angst and scaremongering.

John

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

Barbier, Jason
Yeah, honestly Microsoft has even said already, there will be no nagging the

only feature you lose by not using secured booting is the swift boot. if you
flip
secured UEFI off it just makes windows 8 go into standard boot. fear
mongering
is not needed, and in the end if a secured boot loader is needed all some
one would
have to do is like Intel for example, get a signed cert from grub and hand
it to manufacturers
so then there is a secured open boot loader. The secured EFI is just the
same principal
as the built in boot sector virus protection.

On Sat, Oct 1, 2011 at 4:43 PM, john slee <[hidden email]> wrote:

> On 2 October 2011 08:03, LeviaComm Networks <[hidden email]> wrote:
> > First off, the UEFI boot will *not* prevent other OS's from booting, it
> will
> > only pop up a message saying that the boot process was not secure, just
> like
> > how you can run unsigned code and it will only pop up a box stating as
> much.
> >  It would be impossible to prevent an 'insecure' OS from booting since
> that
> > would prevent you from booting a newer version of the Windows Installer.
> >  Ideally UEFI would post a warning stating that the OS signature is not
> on
> > the list and allow you to add it.
>
> ... would it?  I should think that they could simply sign the new installer
> with the existing keys.  OTOH it's quite possible that someone will extract
> the private key(s) from the hardware, too.  It already happened for Apple's
> Airport Express, no?
>
> On balance, I really don't think this is worth the angst and
> scaremongering.
>
> John
>
>


--
Defendere vivos a mortuis

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

Michel Blais-2
What some fear is that some Microsoft OEM partner do a lazy job with a
minimal UEFI interface without the possibility to disable secure boot.
In that case, if secure boot block unsigned os at boot, it would be
impossible to install other os than Windows 8.

I have too often see BIOS missing lot of standard option.

Michel

Le 2011-10-01 20:36, Barbier, Jason a icrit :

> Yeah, honestly Microsoft has even said already, there will be no nagging the
>
> only feature you lose by not using secured booting is the swift boot. if you
> flip
> secured UEFI off it just makes windows 8 go into standard boot. fear
> mongering
> is not needed, and in the end if a secured boot loader is needed all some
> one would
> have to do is like Intel for example, get a signed cert from grub and hand
> it to manufacturers
> so then there is a secured open boot loader. The secured EFI is just the
> same principal
> as the built in boot sector virus protection.
>
> On Sat, Oct 1, 2011 at 4:43 PM, john slee<[hidden email]>  wrote:
>
>> On 2 October 2011 08:03, LeviaComm Networks<[hidden email]>  wrote:
>>> First off, the UEFI boot will *not* prevent other OS's from booting, it
>> will
>>> only pop up a message saying that the boot process was not secure, just
>> like
>>> how you can run unsigned code and it will only pop up a box stating as
>> much.
>>>   It would be impossible to prevent an 'insecure' OS from booting since
>> that
>>> would prevent you from booting a newer version of the Windows Installer.
>>>   Ideally UEFI would post a warning stating that the OS signature is not
>> on
>>> the list and allow you to add it.
>> ... would it?  I should think that they could simply sign the new installer
>> with the existing keys.  OTOH it's quite possible that someone will extract
>> the private key(s) from the hardware, too.  It already happened for Apple's
>> Airport Express, no?
>>
>> On balance, I really don't think this is worth the angst and
>> scaremongering.
>>
>> John

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

Matt S-5
That was my concern exactly.  That I would be unable to put the OS of my
choice on hardware that I bought.  This is precisely why I don't own an iPad
or iPhone -  I want ownership of what I bought.  What good is a full on
desktop computer with the inability to disable secure boot other than for
those that want to use Windows 8?


________________________________
To:
[hidden email]
Sent: Sunday, October 2, 2011 5:26 AM
Subject: Re: UEFI BIOS
What some fear is that some Microsoft OEM partner do a lazy job with a
minimal UEFI interface without the possibility to disable secure boot.
In
that case, if secure boot block unsigned os at boot, it would be
impossible
to install other os than Windows 8.

I have too often see BIOS missing lot of
standard option.

Michel

Le 2011-10-01 20:36, Barbier, Jason a icrit :
>
Yeah, honestly Microsoft has even said already, there will be no nagging the
>
> only feature you lose by not using secured booting is the swift boot. if you
> flip
> secured UEFI off it just makes windows 8 go into standard boot. fear
> mongering
> is not needed, and in the end if a secured boot loader is needed
all some
> one would
> have to do is like Intel for example, get a signed cert
from grub and hand
> it to manufacturers
> so then there is a secured open
boot loader. The secured EFI is just the
> same principal
> as the built in
boot sector virus protection.
>
> On Sat, Oct 1, 2011 at 4:43 PM, john
slee<[hidden email]>  wrote:
>
>> On 2 October 2011 08:03, LeviaComm
Networks<[hidden email]>  wrote:
>>> First off, the UEFI boot will *not*
prevent other OS's from booting, it
>> will
>>> only pop up a message saying
that the boot process was not secure, just
>> like
>>> how you can run
unsigned code and it will only pop up a box stating as
>> much.
>>>   It would
be impossible to prevent an 'insecure' OS from booting since
>> that
>>> would
prevent you from booting a newer version of the Windows Installer.
>>>
Ideally UEFI would post a warning stating that the OS signature is not
>> on
>>> the list and allow you to add it.
>> ... would it?  I should think that
they could simply sign the new installer
>> with the existing keys.  OTOH it's
quite possible that someone will extract
>> the private key(s) from the
hardware, too.  It already happened for Apple's
>> Airport Express, no?
>>
>>
On balance, I really don't think this is worth the angst and
>>
scaremongering.
>>
>> John

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

Nick Holland
On 10/02/11 11:32, Matt S wrote:
> That was my concern exactly.  That I would be unable to put the OS of my
> choice on hardware that I bought.  This is precisely why I don't own an iPad
> or iPhone -  I want ownership of what I bought.

And that there is the answer.
Complain all you want, if you spend the money on the product, you have
just said, "I accept this product exactly as it is, I like this product
more than I like having the money in my pocket" and all your complaining
becomes moot.

The vendor's job is to get your money.  That's how you indicate
satisfaction with a product -- not the protests and complaints.  The
reason a vendor wants you happy is to get a future chance to get your
money.  If they got your money and you are complaining about something
you KNEW was the case at the time of purchase (or you didn't return the
machine when you found out the "limitation"), guess how much value your
complaint has to them? ZERO.

The computer world is still a relatively free market, with several
vendors and a fair degree of competition.  Even companies the size of
Intel have discovered -- the hard way -- they can't cram crap down the
customer's throat without risking making a trivial, trivially small
competitor a big player (Intel did it a few times...  RAMBUS -> VIA,
Itanium -> AMD).  Look at the damage Microsoft has done to Linux -- from
what I have seen, every time MS does one of their anti-Linux campaigns,
awareness and acceptance of Linux in the workplace goes UP, and I've
heard at least a few pure Microsoft shops keep a few Linux-related
resources floating around in plain site to work the prices down when the
MS reps come through...  Sometimes I wish Microsoft would perceive
OpenBSD as a threat. :)

A lot of us in the open source world do a lot with "recycled" computers
-- computers that have lived out their first life cycle, and now being
used for less demanding applications (i.e., non-windows).  This requires
a little work on our part -- we need to make sure that decision makers
know that any machine locked into the Windows world (or even a
particular version of Windows) are of near zero value to reusers.  When
they point out that they already hand the old machines over to recyclers
for free, point out the recyclers expect to make some money off their
action -- if they can't, your purchasers will need to PAY (or pay more)
for system disposal.  This may be a harder change than not personally
buying a new machine from a restrictive vendor, but make it clear that
you see their talk about "green" computers complete bullshit if they are
not going to make it possible to recycle-into-production older computers
(another example: the manufacturers who now prevent you from using disks
they didn't provide in their machines, or prevent you from buying their
proprietary disk carriers without their over-priced, under-performing
disks.  Value of machine after warranty expiration: Near zero).

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

Dave Anderson-4
On Sun, 2 Oct 2011, Nick Holland wrote:

>On 10/02/11 11:32, Matt S wrote:
>> That was my concern exactly.  That I would be unable to put the OS of my
>> choice on hardware that I bought.  This is precisely why I don't own an iPad
>> or iPhone -  I want ownership of what I bought.
>
>And that there is the answer.
>Complain all you want, if you spend the money on the product, you have
>just said, "I accept this product exactly as it is, I like this product
>more than I like having the money in my pocket" and all your complaining
>becomes moot.
>
>The vendor's job is to get your money.  That's how you indicate
>satisfaction with a product -- not the protests and complaints.  The
>reason a vendor wants you happy is to get a future chance to get your
>money.  If they got your money and you are complaining about something
>you KNEW was the case at the time of purchase (or you didn't return the
>machine when you found out the "limitation"), guess how much value your
>complaint has to them? ZERO.
>
>The computer world is still a relatively free market, with several
>vendors and a fair degree of competition.  Even companies the size of
>Intel have discovered -- the hard way -- they can't cram crap down the
>customer's throat without risking making a trivial, trivially small
>competitor a big player (Intel did it a few times...  RAMBUS -> VIA,
>Itanium -> AMD).  Look at the damage Microsoft has done to Linux -- from
>what I have seen, every time MS does one of their anti-Linux campaigns,
>awareness and acceptance of Linux in the workplace goes UP, and I've
>heard at least a few pure Microsoft shops keep a few Linux-related
>resources floating around in plain site to work the prices down when the
>MS reps come through...  Sometimes I wish Microsoft would perceive
>OpenBSD as a threat. :)

In the absence of biasing factors I think you're right, but AFAICT what
some people are concerned about is Microsoft _requiring_ vendors to lock
down the boot process in this way in order to put a 'Windows 8 approved'
(or whatever exactly it is) sticker on a system.  Given the benefits to
the vendor of participating in that program, it's plausible that many of
them would do this despite its pissing off some customers.  Whether or
not Microsoft would actually do something this blatant I don't know, but
as far as I can tell they've never seen an anti-competetive techinque
that they didn't _want_ to use.

        Dave

>A lot of us in the open source world do a lot with "recycled" computers
>-- computers that have lived out their first life cycle, and now being
>used for less demanding applications (i.e., non-windows).  This requires
>a little work on our part -- we need to make sure that decision makers
>know that any machine locked into the Windows world (or even a
>particular version of Windows) are of near zero value to reusers.  When
>they point out that they already hand the old machines over to recyclers
>for free, point out the recyclers expect to make some money off their
>action -- if they can't, your purchasers will need to PAY (or pay more)
>for system disposal.  This may be a harder change than not personally
>buying a new machine from a restrictive vendor, but make it clear that
>you see their talk about "green" computers complete bullshit if they are
>not going to make it possible to recycle-into-production older computers
>(another example: the manufacturers who now prevent you from using disks
>they didn't provide in their machines, or prevent you from buying their
>proprietary disk carriers without their over-priced, under-performing
>disks.  Value of machine after warranty expiration: Near zero).
>
>Nick.
>

--
Dave Anderson
<[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

ropers
In reply to this post by Nick Holland
On 2 October 2011 18:57, Nick Holland <[hidden email]> wrote:
> If they got your money and you are complaining about something
> you KNEW was the case at the time of purchase (or you didn't return the
> machine when you found out the "limitation")

That's why manufacturers of restrictive, DRM-ridden hardware try their
darnedest to keep it fairly *quiet* about what it is they're doing.
Just as with Monsanto's unlabelled GM foods, if you *don't* know at
the time of purchase, you *can't* make an informed decision. That's
why it's a *secret*, and that's why end users and people who aren't
sworn to secrecy with NDAs, etc. are kept largely in the dark. And if
you, the end user, are kept in the dark until after the end of the
warranty period, then good luck returning that clunker.

I may have posted this before, but:

http://www.the-fifth-hope.org/mp3/drm.mp3 (NB: There are a few silent
secs at the start.)
http://ompldr.org/vOXVrNw/Michael-Sims-speech.pdf
http://ompldr.org/vOXVrOA/Michael-Sims-speech.discussion.pdf

> A lot of us in the open source world do a lot with "recycled" computers
> -- computers that have lived out their first life cycle, and now being
> used for less demanding applications (i.e., non-windows).  This requires
> a little work on our part -- we need to make sure that decision makers
> know that any machine locked into the Windows world (or even a
> particular version of Windows) are of near zero value to reusers.  When
> they point out that they already hand the old machines over to recyclers
> for free, point out the recyclers expect to make some money off their
> action -- if they can't, your purchasers will need to PAY (or pay more)
> for system disposal.  This may be a harder change than not personally
> buying a new machine from a restrictive vendor, but make it clear that
> you see their talk about "green" computers complete bullshit if they are
> not going to make it possible to recycle-into-production older computers
> (another example: the manufacturers who now prevent you from using disks
> they didn't provide in their machines, or prevent you from buying their
> proprietary disk carriers without their over-priced, under-performing
> disks.  Value of machine after warranty expiration: Near zero).
>
> Nick.

This is such an excellent, excellent point; I'd like to quote and
repost that all over the place. May I?

regards,
--ropers

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

ropers
In reply to this post by Dave Anderson-4
On 2 October 2011 21:57, Dave Anderson <[hidden email]> wrote:

> In the absence of biasing factors I think you're right, but AFAICT what
> some people are concerned about is Microsoft _requiring_ vendors to lock
> down the boot process in this way in order to put a 'Windows 8 approved'
> (or whatever exactly it is) sticker on a system.  Given the benefits to
> the vendor of participating in that program, it's plausible that many of
> them would do this despite its pissing off some customers.  Whether or
> not Microsoft would actually do something this blatant I don't know, but
> as far as I can tell they've never seen an anti-competetive techinque
> that they didn't _want_ to use.
>
>        Dave

I think Microsoft et al. will be able to just count on vendor laziness
and incompetence yielding at least some Windows-only UEFI hardware.
If Microsoft at all feel that they even need to actively do anything
anymore that goes beyond enabling laziness and incompetence, then I
think that it's probably far more likely that anything from their side
will be vague and hand-wavy, with companies which do produce
Windows-only hardware mysteriously, surprisingly finding that they're
most favoured vendors who can get better deals out of Microsoft, etc.
Microsoft probably know better than actually inking some written
OEM/vendor agreement that can be leaked on Halloween.
And yes, I do think there is a threat, even in the absence of overtly
conspiratorial activity. And I think that things could get
particularly bad in jurisdictions that do or would criminalise the
circumvention of DRM in order to run OpenBSD on otherwise Windows-only
hardware.
But I'm not a developer, so...
regards,
--ropers

Reply | Threaded
Open this post in threaded view
|

Re: UEFI BIOS

Nick Holland
In reply to this post by ropers
On 10/02/11 17:27, ropers wrote:
> On 2 October 2011 18:57, Nick Holland <[hidden email]> wrote:
...

>> A lot of us in the open source world do a lot with "recycled" computers
>> -- computers that have lived out their first life cycle, and now being
>> used for less demanding applications (i.e., non-windows).  This requires
>> a little work on our part -- we need to make sure that decision makers
>> know that any machine locked into the Windows world (or even a
>> particular version of Windows) are of near zero value to reusers.  When
>> they point out that they already hand the old machines over to recyclers
>> for free, point out the recyclers expect to make some money off their
>> action -- if they can't, your purchasers will need to PAY (or pay more)
>> for system disposal.  This may be a harder change than not personally
>> buying a new machine from a restrictive vendor, but make it clear that
>> you see their talk about "green" computers complete bullshit if they are
>> not going to make it possible to recycle-into-production older computers


    VVVVVVVVVVV   I'm going to retract this part:  VVVVVVVVVVVVVv
>> (another example: the manufacturers who now prevent you from using disks
>> they didn't provide in their machines, or prevent you from buying their
>> proprietary disk carriers without their over-priced, under-performing
>> disks.  Value of machine after warranty expiration: Near zero).
>>
>> Nick.
>
> This is such an excellent, excellent point; I'd like to quote and
> repost that all over the place. May I?

Um. leave out the part about third party disks and carriers.
Upon closer investigation, I find one of the manufacturers I was aware
of doing (Dell) this reversed course, and (supposedly) will/does offer a
RAID firmware update that will remove the block.  Bad idea, but good for
them for listening to customer complaints and reversing course.  The
other mfg I was thinking of, I can't find any GOOD evidence one way or
the other (some people claiming they do block third party drives, others
saying, "no, works fine", others reporting "works but quirks", so this
may be just a matter of controllers designed and tested around only
"factory" drives, or faulty processes on the part of people reporting
problems, or ...?

Other than that retraction, feel free to quote me or put it in your own
words...

Nick.