SecureBoot / UEFI

#1

Subscribe to this topic if you are interested in betatest the SecureBoot and/or UEFI features of the future versions of Elive

#2

Count me in if you have anything usable to test.
My Lenovo Thinkpad X1 Carbon wil not run 303 due to specific hardware quirks like my F1-12 (touchscreen sort of) keys.


and thus no way to control screen brightness, sound and such as they use the same touch pad:

And the Haswell-ult controller needs a driver. :neutral_face:
So if anything I'd like to test with newer (elive)kernels on this device asap. For the moment running Ubuntu 18.04 with Elive in Vbox . I stuck in a 1 Tb SSD so for now I've got plenty of space. :blush:

#3

I will try to upload an alpha version soon :slight_smile: , in fact I could almost start uploading them, maybe private downloads at the moment

Since 64bit builds are very wanted, I'm brainstorming a way to profite this opportunity to make Elive more known, a good strategy impact, hum...

BTW just shocked with your Caps replacement, looks funny but also useful!

#4

Actually it's not because the whole array changes when touching the Fn. As I use the F1-12 keys quite extensively and somehow the wrong ones are always on top. :pensive:

Lenovo discontinued them after that series.

#5

In my T460s I have the Fn just disabled by default, just to not be confused about which mode is when, so special modes always needs the Fn, its more simple to remember

#6

Aye, I do that too on my other laptops: Hold Fn and hit the rquired SpecialKey.
That's my (albeit minor) gripe here: It's all or nothing 'cause the Fn is a touchscreen key too. :innocent:
If the laptop freezes over while special keys are up, I can't access serial consoles with Alt, Ctrl and F2-6 or even a guake terminal (to xkill) with F12 if need be. Only thing I can do is wait or go in from another machine with ssh.

#7

Hum, could be needed to test in 3.7.x, and/or to see if requires on this version a special extra package to install (apse thinkpad, etc)

#8

Once there's an upload we'll give it a thorough testing. :dance:
Works out of the box on ubuntu 18.04
Ubuntu is installed without UEFI so Elive alongside should be no problem.

#9

The Live system should correctly boot with Secure Boot (some few computers has it forced), so its a good thing to enable it in the bios to test the correct boot of Elive with :slight_smile: , also it should have an UEFI structure to boot (also important to test, so no legacy boot, just UEFI)

What is not yet implemented is the UEFI boot structure for the installed system, but should be not hard to implement (in the installer), Secure Boot too, but I assume that secure boot should directly work by default since the dependencies includes it and the kernel is signed too

1 Like
#10

I must say, secure is the most crappy thing ever made! (after windows), and of course who invented it? windows...

As we know, its a strategical step by microsoft to monopolice (even more??), allowing to boot only systems that they decided to boot (or that you pay for them to authorize / sign your system to boot), this is purely nonsense shit with beautiful marketing words, because yeah, you can boot a signed bootloader and a signed kernel, then you are in the OS where you can have any application that can run as root, are all these applications signed? no, but they have full root access, so: nonsense crap

Why this is bad? because it makes the life much difficult, to integrate this is very much difficult, after so many years it is not yet so well supported and the tools (like live systems creation) are not yet well integrated

Even worse: we cannot have a customized kernel, Elive cannot make a kernel with special options and not including the reiser4 support too, nor aufs too which supports multilayers, because they are modules not signed by the kernel

So we want secure boot in order to be able to boot in computers that has strictly this option set (some few ones, this option cannot be disabled if im not wrong), while we will lack extra possibilities

#11

Another problem: with Secure boot you cannot use virtualbox, because it needs to build a kernel module, here's a ticket link

Same problem with nvidia drivers and any other module built in your machine

So: secure boot is EVIL ! We would like to have it but... we really want? (losing those features?)

@triantares @jfbourdeau @Rebel450

#12

Personally I don't care about secure boot. Those times I used it, it only caused problems (tho never with Oracle Vbox) and if I can circumvent it so can any attacker that has physical access to my gear. Essentially I'm all for keeping our freedom and kicking secure boot....we need that customized kernel.

If I understand the link correctly, one will get bitten due to different keys when adding 3rd party changes/modules. That's much [security] ado about nothing IMHO but I suspect there are -Windows_dual_boot- users who will demand secure boot, whether they need it or not.

Like corporate EULAs and DRM: This isn't security it's user harassment, to make it quite clear that users aren't really worthy of the product, let alone to own or modify it. :matrixfight:

1 Like
#13

I must confess that that i have very small knowledget about secureboot, but I just vomited this brainstorming stuff, I think that you may enjoy reading it @triantares SecureBoot, and the paradox of the biggest rotten shit by Microsoft

#14

Don't mean to be distracting but this is kind of an interesting read:
https[colon]//libreboot[dot]org/faq[dot]html#intel

Search for the part titled: "Why is the latest Intel hardware unsupported in libreboot?"

If support was maintained for using an open source bios that could make things easier.
I'm not very familiar with it either, but just thinking about it...
You could try finding someone to reverse some of the binary blobs & maybe strip out, replace, or attempt a man-in-the-middle attack (maybe try and force expire the cert or see if there's any way to take over ownership from a local/exploit/dumping perspective?).
You would just have to do what Microsoft does & make it a closed source proprietary system to Elive, where if they wanted to take you to court, they have to prove that you used their code & the only way to prove it is "reverse it" which is illegal; shouldn't hold up.

Much of this is said with not 100% seriousness, the hope is that it could spark an idea, or assist with confirmation of a decision.

The other thing to think about is limiting support to specific hardware types.

#15

My experience installing 3.7.3 on my Lenovo X1 carbon with Ubuntu and Elive 3.7.1 previously installed in legacy mode (dos partition table). I Installed using options offered by the the installer like any newcomer would.

  1. installer asks update 3.7.1 --- No
    2)partition disk? ---- No, already partitioned
    3)select partition for / ---- OK, choose previous btrfs for 3.7.1

  2. You need gpt boot partition > 200mb ---- F*ck ! :shocked: Hit cancel and restart Install to create some space. Actually we need a "Back" button IMHO.
    ....... :sniff:

  3. Same as before

  4. partioner? --- OK, open gparted.

  5. create /boot (ext4) 280Mb
    4)select / --- OK
    5)select /boot --- OK
    6)select /home --- OK
    7)You need 200Mb EFI partition ------ gaaaaaahhhh !! :omfg:
    --- I subsequently hit Cancel again, to start over again.

But: Installer simply continues without EFI partition. WTF?? :ohmygod:
8) GRUB reports problem due to BIOS type partition but all moves on.
9) Congrats, Elive is installed
After which a reboot has Elive grub and boots just fine... Next time I'll hit OK at point 7 to see what that gives.

Other than some shutdown problems (watchdog after shitty suspend) most gripes are Desktop gripes and IMO for a separate thread.

#16

we can't, the installer is procedural in progressing "steps"
so it asks for the needed partitions but if you don't have all the needed ones, you must repartition, yeah

im confused, it should ask for GPT BIOS partition OR for an EFI partition, not both
the first one is needed for setups like "legacy boot + gpt disk", the second one is needed for "efi boot"

this means that you booted on legacy mode, not efi... it should not asks you for an efi partition at all :thinking:

if is really the case, sometihng in the installer must be fixed.. but try that with 3.7.4 first, so there have been many changes on the installer too

#17

It really asked again, I'm sure.

Will do, this weekend. :muscle:

You are right about gpt (secure boot was disabled) it will not start "enabled" due to missing verification key.

#18

if still happens on 3.7.4 tell me your details so i can do a test in vbox and fix it:

  • booted on efi or legacy?
  • disk is in gpt or msdos?
  • version of elive?
  • which type of installation ? (manual partitioning ?)
1 Like