How would we know if this will affect us? I have been running Linux distros for 20 years and didn’t know Microsoft was involved at any level in firmware.
It might. It depends on a lot of stuff.
Microsoft was heavily involved in the making of uefi and secure boot but had heavy resistance from canonical as the early drafts of secure boot would not allow os’ to add signing keys to the tpm so a machine would only be able to boot windows.
A quick way to know is if youre running custom build kernel, or use mainline on ubuntu based systems, youre not using secure boot.
Those kernels are generally not signed and the cert is not added to the tpm to allow it. Youd have to have gone out of your way to do it, in which youd know secure boot was enabled :p
Sorry, a baby was kicking me in the face while I typed that. Could you elaborate on the shenanigans that Microsoft had been pulling with regards to the initial draft of the aformentioned standard?
A yes, the fun times of a baby haha. Enjoy! :p
Anyway, Secure boot itself was designed by the eufi consortium, which is a group of pc tech companies, to help make sure devices only boot what it can trust. Good on paper and in practice but…
back in circa 2011 microsoft had enforced any pc that wanted to be windows 8 certified ( and get the sticker ) to require secure boot to be enabled together with fastboot. All motherboards needed to have a tpm module with only the microsoft certificate in it. This meant that booting from a usb or cd was completely off the table and you could just not install linux, period.
And even if you did, the kernels or bootloaders were not signed so they would be refused by the bios/eufi.
This was a big thing back then, and canonical and redhat tried and found a few ways around it, and so did some individuals.
But afaik the linux foundation ( which microsoft is part of, funnily enough ) made some binaries that were signed and allowed linux to boot under secure boot, including usb/cd.
Iirc, during the linux installation the distro will add its certificate to the tpm so that kernels signed by the distro boot fine.
To this day, without those binaries from the foundation, it would be impossible to boot linux with secure boot and can still cause issues when dual booting and having bitlocker enabled for example. Bitlocker detects a changed boot state (by grub) and says fuck that, give me the recovery key or i aint decrypting this.
Yup!
And now we are facing the problems many sys admins face every day all over the world: certificate expirations!
Though instead of https(ssl) certificate of a server expiring, its the certificate used to validate what secure boot boots.
Thats what the article is about
Maybe, but what about units supplied by a Linux builder? My last computer was a windows machine I installed Linux on, but that was before this I think. It shipped with windows 7.
How would we know if this will affect us? I have been running Linux distros for 20 years and didn’t know Microsoft was involved at any level in firmware.
It might. It depends on a lot of stuff.
Microsoft was heavily involved in the making of uefi and secure boot but had heavy resistance from canonical as the early drafts of secure boot would not allow os’ to add signing keys to the tpm so a machine would only be able to boot windows.
Thankfully canonical won that debate :')
I definitely have UEFI, not sure about secure boot.
A quick way to know is if youre running custom build kernel, or use mainline on ubuntu based systems, youre not using secure boot.
Those kernels are generally not signed and the cert is not added to the tpm to allow it. Youd have to have gone out of your way to do it, in which youd know secure boot was enabled :p
Thanks! Currently I am using Mint, and it looks like secure boot is disabled.
Thanks for your replies ❤️
Can I trouble you to elaborate?
With? How it could effect us?
Sorry, a baby was kicking me in the face while I typed that. Could you elaborate on the shenanigans that Microsoft had been pulling with regards to the initial draft of the aformentioned standard?
A yes, the fun times of a baby haha. Enjoy! :p
Anyway, Secure boot itself was designed by the eufi consortium, which is a group of pc tech companies, to help make sure devices only boot what it can trust. Good on paper and in practice but…
back in circa 2011 microsoft had enforced any pc that wanted to be windows 8 certified ( and get the sticker ) to require secure boot to be enabled together with fastboot. All motherboards needed to have a tpm module with only the microsoft certificate in it. This meant that booting from a usb or cd was completely off the table and you could just not install linux, period.
And even if you did, the kernels or bootloaders were not signed so they would be refused by the bios/eufi.
This was a big thing back then, and canonical and redhat tried and found a few ways around it, and so did some individuals.
But afaik the linux foundation ( which microsoft is part of, funnily enough ) made some binaries that were signed and allowed linux to boot under secure boot, including usb/cd.
Iirc, during the linux installation the distro will add its certificate to the tpm so that kernels signed by the distro boot fine.
To this day, without those binaries from the foundation, it would be impossible to boot linux with secure boot and can still cause issues when dual booting and having bitlocker enabled for example. Bitlocker detects a changed boot state (by grub) and says fuck that, give me the recovery key or i aint decrypting this.
Here is a google search if you want dig deeper, it should all be from circa 2011-2012 :
https://www.google.com/?q=windows+8+oem+to+disable+linux
Wow! That doesn’t seem like a very nice thing of Microsoft to do! I would give them a hard stare if I could.
Yup! And now we are facing the problems many sys admins face every day all over the world: certificate expirations!
Though instead of https(ssl) certificate of a server expiring, its the certificate used to validate what secure boot boots.
Thats what the article is about
This is like Y2K all over again
As a rule of thumb, if you run any PC hardware at all, then Microsoft is involved in it.
Maybe, but what about units supplied by a Linux builder? My last computer was a windows machine I installed Linux on, but that was before this I think. It shipped with windows 7.