[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Off topic thoughts] Re: debian installation issue

Hi,

Greg Wooledge wrote:
> > > Secure Boot (Microsoft's attempt to stop you from using Linux)

Andrei POPESCU wrote:
> > While I'm not a fan of Microsoft:
> > https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3
> > "Microsoft act as a Certification Authority (CA) for SB, and they will
> > sign programs on behalf of other trusted organisations so that their
> > programs will also run."

tomas@tuxteam.de wrote:
>  - do you know any other alternative CA besides Microsoft
>  - is there any internationally legal binding of Microsoft

Actually it is the mainboard producers and possibly the CPU producers who
decide who is in charge as CA.
Further they decide whether the firmware offers the possibility to disable
Secure Boot or to become your own CA.

  https://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot
shows how it should be in an ideal world. Of course this is still expert's
work.

I myself would see few reason not to disable Secure Boot on my own machines
if necessary. But currently it does not even hamper kernel experiments.
(Dunno whether this is intended by Debian and kernel source code or
whether my test machine is just not as secure as its EFI pretends to be.
My experiments happen in kernel modules like sr, cdrom, isofs. Maybe a
change in the kernel's core would meet more distrust.)

I agree with Andrei POPESCU that Secure Boot is not really for the purpose
of hampering free operating systems, although it causes extra workload on
those who intend to support this boot procedure.
Secure Boot is rather the modern attempt to make systems safe against
simple hardware manipulations. The old way was to seal the USB ports by a
hot glue gun and to use security screws at the side plates of the box.

It is unfortunate that Intel and Microsoft could not bring themselves to
create an independent institution which authorizes the legitimate
boot programs which are acceptable by default.

------------------------------------------------------------------------
As we are already off topic:

I agree to Greg Wooledge's overview of x86 boot firmware, as far as
Debian installation is concerned.

I have some nitpicking on technical details, though, which i did not post
because it would not be relevant to the initial topic.

Greg Wooledge wrote:
> UEFI booting requires a GPT disk label (partition table type),

No. UEFI specifies the formats of both, MBR partition table and GPT.
In both partition table types it specifies an identifier for the EFI
partition. (Type 0xEF for MBR partition table,
Type GUID C12A7328-F81F-11D2-BA4B-00A0C93EC93B for GPT.)

There exist some few UEFI firmware implementations which do not obey
the specs and ignore MBR partition tables.


> and one of the partitions on the disk must be an EFI partition.

Actually there is no UEFI implementation known which would not peek into
any recognized partition with a FAT filesystem, whether there is \EFI\BOOT
with the matching BOOT*.EFI file.
This seems to be a quirk which is protected by Microsoft Inc.

Whether a partition is used automatically for booting or whether it is
offered at all as bootable, is a matter of UEFI implementation and settings.


Have a nice day :)

Thomas
Reply to: