Re: UEFI secure boot and Knoppix

To: Jim Pritchett <jpritchett1@charter.net>
Cc: Knoppix ML <debian-knoppix@lists.debian.org>
Subject: Re: UEFI secure boot and Knoppix
From: Klaus Knopper <debian-knoppix@knopper.net>
Date: Sat, 27 Dec 2014 22:11:43 +0100
Message-id: <[🔎] 20141227211143.GI12147@knopper.net>
In-reply-to: <[🔎] BB7A235C06694AA6821DC8192EFF2F68@Quad>
References: <[🔎] BB7A235C06694AA6821DC8192EFF2F68@Quad>

Hello Jim,

On Sat, Dec 27, 2014 at 12:33:26PM -0600, Jim Pritchett wrote:
>    I finally broke down and bought another computer.  Naturally, I want to
>    use my Knoppix USB stick on it.  I did a bit of reading and there seems to
>    be three options.
>     
>    1.  Turn off secure boot entirely.  Apparently, this is not recommended.

AFAIK, is not recommended by the companies supporting Windows, maybe
because NOT being able to boot other operating systems other than an
unmodified Windows is considered a "security feature". Considering the
amount of Windows Malware around, it may be true for a computer
especially designed for running Windows. On the other hand, there are
attacks possible for UEFI secure bot that can render your computer
useless, "secure boot" may actually be used by attackers to lock out the
user from his/her own computer.

It would be my first recommendation to turn off "secure boot" (still,
using UEFI alone should be OK, but unnecessary and sometimes unstable
due to implementation errors). If you need to dual-boot Windows and
Linux for some reason, you can install Windows without Secure Boot, and
it will boot fine the normal way (called "compatibility support module",
or CSM, in the UEFI firmware).  But, once installed in UEFI "secure
boot" mode, Windows won't boot without anymore, as far as I am aware of.

>    2.  Add a signature for Knoppix.  Has someone already done this?

It is virtually impossible to convince the computer manufacturers to
preinstall a boot loader certificate not desired by the contracted
software provider. On the technical level, it's possible, of course, and
documented in the UEFI standard. But the skills and effort required for
installing a third party certificate in the UEFI firmware will most
likely exceed those needed for just turning secure boot off for a normal
computer user.

>    3.  Convince the Windows boot loader to boot Knoppix.  I don't know how to
>    do that.

There are tutorials, I'm sure, but apparently, I never had to do this by
myself, so I can't tell you how to proceed.

>    I'm sure someone has done this already.  What do you guys recommend?

My personal recommendation would be not using "secure boot" and even
turn off "UEFI-only" boot, unless you really need it.

Regards
-Klaus

Reply to:

References:
- UEFI secure boot and Knoppix
  - From: "Jim Pritchett" <jpritchett1@charter.net>

Prev by Date: UEFI secure boot and Knoppix
Next by Date: 20141229 Adriane Knoppix suggestion. delete Lavabit. selection in MUTT set up
Previous by thread: UEFI secure boot and Knoppix
Next by thread: 20141229 Adriane Knoppix suggestion. delete Lavabit. selection in MUTT set up
Index(es):
- Date
- Thread