I happen to translate this article that he wrote James Bottomley, technical advisor of the Linux Foundation, who started putting together a pre-bootloader so you can boot Linux.
As I explained in my previous post, we have the code for the Linux Foundation pre-bootloader in place. However, there was a delay while we had access to the Microsoft signing system.
The first thing to do is pay the $ 99 to Verisign (now Symantec) and have a key verified by Verisign. We did it for the Linux Foundation, and all they want to do is call headquarters to verify. The key returns in a URL that is installed in your browser, but standard Linux SSL tools can be used to extract it and create the usual PEM certificate and key. It has nothing to do with UEFI signing, but is used to validate the system sysdev Microsoft that you are who you say you are. Before you can create a sysdev account, you have to test it signing an executable they give you and upload it. They make strict requirements that you sign it on a specific Windows platform, but sbsign at least it worked and bingo our account was created.
Once the account is created, you still cannot upload UEFI binaries for signing without first sign a paper contract. The deals are very onerous, including a lot of excluded licenses (including all GPLs for drivers, but not for bootloaders). The most onerous part is that the agreements seem to arrive beyond the UEFI objects you sign. Attorneys for the Linux Foundation concluded that it is mostly harmless to the LF because we don't sell products, but it can be disgusting to other companies. According to Matthew Garrett, Microsoft is willing to negotiate special deals with distributions to mitigate some of those problems.
Once the agreements are signed, the real technical fun. You can't just upload a UEFI binary and have it signed. First you have to wrap it in a .cab file. Fortunately, there is an open source project that can create cabinet files called lcab. Then you have to sign the .cab file with the Verisign key. Again, there is another open source project that can do that: osslsigncode. For anyone who needs those tools, they are available in my openSuse Build Service UEFI repository. The final problem is that uploading the file requires silverlight. Unfortunately, moonlight doesn't seem to work and even with the version 4 preview, the upload box goes blank, so it's time to use windows 7 under a kvm (kernel-based virtual machine). When you get to that part, you also have to certify that the binary “to be signed, must not be licensed under GPLv3 or similar open source licenses”. I assume it is for fear of key disclosure but it is not clear at all (the same with "similar open source licenses").
Once the upload is complete, the cabinet file stops through seven stages. Unfortunately, the first test climb stayed locked in stage 6 (the signature of the files). After 6 days I sent a support email to Microsoft asking what was happening. The answer: “The error code thrown by the signing process is that your file is not a valid Win32 application. Is it a valid Win32 application? ”. Answer: obviously not, it is a valid 64 bit UEFI binary. There were no more answers...
I tried again. This time I received a download email for the signed file and the board says that the signed failed. I downloaded it and verified. The binary works on the secureboot platform and is signed with the key
subject = / C = US / ST = Washington / L = Redmond / O = Microsoft Corporation / OU = MOPR / CN = Microsoft Windows UEFI Driver Publisher
issuer = / C = US / ST = Washington / L = Redmond / O = Microsoft Corporation / CN = Microsoft Corporation UEFI CA 2011I asked the support why the process indicated a failure but I had a valid download and, after a flurry of emails, they replied “do not use that file that was wrongly signed. I will come back to you. " I'm still not sure what the problem is, but if you look at the Subject of the signing key, there is nothing in the key to indicate to the Linux Foundation, therefore I suspect that the problem is that the binary is signed with a generic Microsoft key instead of a specific (and revocable) key tied to the Linux Foundation.
However, this is the status: We will continue to wait for Microsoft to give the Linux Foundation a signed and validated pre-bootloader. When that happens, it will be uploaded to the Linux Foundation site for all to use.
Source: http://blog.hansenpartnership.com/adventures-in-microsoft-uefi-signing/
Draw your conclusions, but this is going to take time.
If really the issue of PCs with win8 OEM that come with the UEFI system is solved by disabling UEFI from the BIOS, it seems to me an error that both the Linux foundation and Fedora, Ubuntu and I don't know which other distro, pay for the certificate and accept the limitations imposed by Microsoft.
WE HAVE TO STOP BEING LAMBS !!!!!
but I know Windows 8 remains unbooted
Hehehe, it wasn't a big deal. Well, at least for me. It is a personal opinion, I do not want to offend anyone.
UEFI cannot be disabled from the BIOS, since UEFI is the Firmware that comes to replace the more than long-lived BIOS.
What we are talking about is Secure Boot, a UEFI feature that verifies the authenticity of the software with which we start the computer through digital signatures, it is Secure Boot that should be disabled.
It is not as simple as disabling Secure Boot and that's it, it is necessary that the manufacturer has had the consideration of including a menu that allows users to disable Secure Boot, if the manufacturer does not want it to be disabled it will be very complicated for the user to be able to do so, possibly going to the extreme of having to replace the motherboard firmware with an unofficial one.
The Linux Foundation's solution would be a "universal" solution for any hardware affected by this disease and would allow any system to be installed paying a single digital signature only once, which is surely what scares them and why they are doing so much of pray
«It is not as simple as disabling Secure Boot and that's it, it is necessary that the manufacturer has had the consideration of including a menu that allows users to disable Secure Boot, if the manufacturer does not want it to be disabled it will be very complicated for the user to be able to do it, »
So what needs to be done is a digital literacy campaign where it is explained to users that they demand computers with that feature and instead buy others.
All of this is to make money by validating what can and cannot boot with secure boot.
Total incompetence is indistinguishable from bad intentions.
While there is a famous phrase by Robert J. Hanlon that says: "Never attribute to malice that which is adequately explained by stupidity", in the particular case of Microsoft, so many silly difficulties to a supposedly well conceived and devised process for a Better security, it keeps giving the impression that they are hindering the Linux Foundation so that linux cannot be installed on new PCs with UEFI, so that Microsoft has no competition.
Exact. I do not like the idea, a supposed safe start ... It scares me. It seems to me that Microsoft has very ... Mafia purposes.
I am more than tired of Microsoft and its manipulations, and I am even afraid of its intentions, and tired of its pretending to dominate each of the PCs or devices that exist on the market.
I hope that Linux finishes taking off en masse and prevails among end users and Windows is finally marginalized, total, for the OS crap that it is.
This reminds me of the patent granted to Microsoft by which the default system is limited, and to unlock its full potential or install any third-party program, licenses are necessary for which, of course, either the user or the users have to pay. Third parties who want their applications to be installed on the operating system. That they haven't implemented it yet, doesn't mean they don't intend to, and I get the impression that UEFI is preparing the ground for this.
What surprises me is that 64bist binaries fail and force 32bit binaries…. They are retrograde, there are hardly any new 86-bit x32 architecture processors on the market. It should work at 64bits.
uu
The digital signature or secure boot is trying to prevent "something" other than the system from booting. It is also in order to avoid so-called piracy or illegal copying of proprietary software.
Doing an analysis and doing a little research on the so-called Win8 safe with its much vaunted secure boot has shown its incompetence as they recently discovered a security hole.
Due to the above and without having to be an industry genius, with PhDs and others, it can be deduced that it is only a marketing concept accompanied by Microsoft's premise of becoming a closed apple-style system.
Personally reviewing, consulting and studying I can say from my personal perspective that UEFI / Secure Boot is a fraud and a scam that only aims to force and support Microsoft's project to close its ecosystem completely, taking advantage of the fact that it can still exercise certain pressure in the personal computing segment.
This vacation I'm going to find a way to sue Microsoft. I hate them.
Hehehe, if I had the desire and time, I would demand them too. It is a violation of freedom. Unless they make another version of the infamous EULA where they specify that by accepting the contract you agree not to install any other software lol, which wouldn't surprise me.
+1
We will see how microsoft does with its win8 and its UEFI / secureboot, maybe it will lose some market in favor of the macbook or the chromebook.
And who knows, maybe someday some pc manufacturer will appear out there in favor of linux and other free systems.
mmm, and if linux communities "manifested" on internet day and programmer's day, for example, in front of some hp store (to say the least) showing their appreciation for the brand but their disagreement with using windows?
And if in those days the "install fest" goes out to the streets or public squares?
The sad reality is that all Linux users combined make up a fraction of Windows users, so hardware manufacturers naturally prioritize the operating system with the highest market share. so I see it unlikely that a demonstration will change things.
In my opinion, for example, making Linux a more attractive platform for applications and games could have more influence than many demonstrations against MS. But this takes time (and resources).
It is fine to attack Micro $ oft and its Secure Boot, but remember that it is the motherboard manufacturers that have included it by default in the UEFI, as if there were only one OS; Microsoft's ... they have taken a wrong path. Given the case, it seems to me that in the future we will be forced to flash the UEFI of the boards with "released" versions as we do today with the ROM of certain products. Fortunately, the ingenuity of those who aspire to freedom has proven stronger than that of those who seek to eradicate it.
Man .... It is not as simple as the manufacturer choosing whether or not to include secure boot in its hardware, we must not forget that Microsoft is a Monopoly, in fact it is THE Monopoly and as a manufacturer, saying no to Microsoft can mean from having to face their lawyers, increase the cost of licenses that make your equipment much more expensive, or even lose 80% of the domestic market.
It is not that it defends them, but if something Microsoft knows how to do is precisely that, impose based on extortion and Monopoly, the only option would be for all manufacturers or at least the majority to agree and stop its feet at once, but that is tremendously difficult for it to happen and a single company, no matter how large it may be, will think twice before risking its business, no matter how unfair / creeping / absurd what Microsoft asks for.
There has been a lot of talk on this topic in various blogs and forums, but I have days thinking about something, maybe it's my foolishness but, in the case of DELL and HP (I don't know other companies) that sell Linux machines, does the secure boot will it come off?
I think I have read that in these cases the manufacturers place a dual UEFI / BIOS system so that if you disable the UEFI you will fallback to the BIOS. This should naturally increase costs.
Eventually the BIOS should disappear as we know it in favor of UEFI or other better standards that are believed, because BIOS technology is old and therefore imposes limitations.
Gentlemen, a signature to the FSF petition on this matter:
We, the signatories, urge all computer manufacturers that implement UEFI's so-called "Secure Boot" to do so in a way that allows the installation of free operating systems. To respect user freedom and truly protect their safety, manufacturers must allow computer owners to disable boot restrictions, or provide a reliable system to install and run a free operating system of their choice. We pledge that we will not buy or recommend computers that take away this critical freedom from the user, and that we will actively encourage people in our communities to avoid these types of caged systems.
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement
Perfect, request signed and shared with the LUG and the rest of the web, thanks for the comment.