Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Windows Hardware

Ask Slashdot: Establishing Procurement Policies Regarding Secure Boot? 104

New submitter Firx writes: My university department has a tradition of selling its used computers and/or repurposing them with Linux for graduate students and science computer labs. With Windows no longer requiring one be able to disable secure boot, my department is writing up a procurement policy to ensure future machines we buy will still have this feature. Part of the draft motion reads: "Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting." Is there something further we should be including here and what is the best way to explain the need for this policy to colleagues less technically literate?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Establishing Procurement Policies Regarding Secure Boot?

Comments Filter:
  • Add a test (Score:5, Informative)

    by gweihir ( 88907 ) on Monday February 29, 2016 @05:16PM (#51610699)

    Require it, for example, to be installable with Linux with the "current version of the stable Debian installer" at the time of purchase. For an individual contract, that version needs to be specified, of course. This way you have at least somebody to blame if it later turns out this does not work.

    • Re:Add a test (Score:5, Insightful)

      by mysidia ( 191772 ) on Monday February 29, 2016 @05:39PM (#51610835)

      Require it, for example, to be installable with Linux with the "current version of the stable Debian installer" at the time of purchase.

      (1) Test1: Netboot to CloneZilla Live Image.
      (2) Test2: Boot system from IT Rescue USB Stick
      (3) Test3: Debian installer from CD and Boot to OS from hard drive following installation

      All 3 tests must pass for each system.

      • by eionmac ( 949755 )

        4. Must both work with Knoppix Live Linux while having MS Windows system installed and adjusting partitions with a Gparted or similar probram.
        5 be capable of rewritting hard disc to a Linux system for permanent use.
        6 Must allow booting of a Live Linux sytem via USB memory (stick or external hard drive) or via a DVD.

  • Expalnation (Score:5, Insightful)

    by QuietLagoon ( 813062 ) on Monday February 29, 2016 @05:18PM (#51610717)

    what is the best way to explain the need for this policy to colleagues less technically literate?

    We bought the computers, we should be able to use them as we see fit.

    • hopefully, you'll spell better than I did. :)
    • Re:Expalnation (Score:4, Informative)

      by fahrbot-bot ( 874524 ) on Monday February 29, 2016 @05:25PM (#51610765)

      what is the best way to explain the need for this policy to colleagues less technically literate?

      We bought the computers, we should be able to use them as we see fit.

      Would you want a car that only accepts fuel from one gas station company?

      • Would you want a car that only accepts fuel from one gas station company?

        This is why car analogies don't work, you have to continuously seek out, purchase and put gas in a car to keep it running meaning that being beholden to one vendor would be extremely cumbersome. You don't have to continously seek out, purchase and install the operating system to keep your computer running.

        What you need to do is to make your case for why it matters for a personal computer and re-purposing old systems seems like a valid justification. Because a more appropriate analogy is asking would you wan

  • Linux can UEFI Boot (Score:5, Informative)

    by Zombie Ryushu ( 803103 ) on Monday February 29, 2016 @05:26PM (#51610771)

    Linux can UEFI Boot with and without Secure Boot. With Secure Boot you have to be able to install keys or use a Grub Shim, but I have seen both Toshiba and HP Laptops boot Mageia and RedHat in UEFI and CSM modes.

    • Did you follow a how-to? Any links you'd care to share? Was this part of those distros' installers? I tried to do this with Gentoo but I just don't have the time to learn new things anymore apparently. Thanks in advance

    • by Junta ( 36770 )

      Note that you cannot build your own kernel, nor is it the case that all distributions have done the work to get their builds signed. Note that not all firmware is required to let you install custom keys either.

    • by AmiMoJo ( 196126 )

      Requiring machines that let you install your own keys sounds like the best options. Secure Boot is actually quite useful for protecting the OS from pre-boot attacks that could otherwise rootkit it. As long as you control it, it's worth having that extra security feature. You could even delete the Microsoft key to prevent students reinstalling Windows.

  • "Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting."

    What about Surface Pro tablets? I think that this policy would preclude their purchase (a good idea IMHO), but others may disagree. You probably need to figure this out before it sinks your attempt to bring in a new policy.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You are able to disable Secure boot on the x86 Surface tablets, I have it disabled on my first gen Surface Pro. Even the newest ones apparently support disabling it according to Microsoft's documentation on them.

      No such luck for the ARM Surface tablets.

  • by Anonymous Coward on Monday February 29, 2016 @05:36PM (#51610821)

    You are both over-specifying the mechanism, and scope.

    Not all computers you can buy to run Windows have UEFI, and some otherwise useful devices can't disable it.

    2 examples that would be excluded from purchase by how you have phrased this :

    - Macs (do not have UEFI, but an Apple fork of EFI)
    - iPads (locked boot loader)
    - Many Windows 10 tablets/hybrids/ultrabooks e.g. Surface (locked boot loader)
    - Windows Phone (locked boot loader)
    - Sony Playstation (sometimes used as GPU clusters, but have a locked boot loader )

    Now if you want to ban those other device types , thats really up to you. It depends on do you consider a tablet to be a computer or a phone to be a computer, but heck. Increasingly , the number of computers that function as you describe are going to go down, and more and more locked down devices like tablets and hybrids will become the norm in the market.

    Why not frame it in terms of why :

    "The department believes that it is essential to generate long term utility from computers it buys, and that they shouldn't simply be disposable. We believe that long term use requires flexibility in the operating system used on a computer. We believe that long term use can be achieved in multiple ways - such as reselling used devices to other entities that have need for them, re-purposing computers for graduate students and laboratories, or converting computers for use in instrumentation. This means that wherever possible, computers should be purchased ensuring they have the capability to be unlocked from only running Windows, and running other operating systems such as Linux. This ensures maximum flexibility for our department in generating value from the money we invest in our IT hardware. Exceptions to this need to present a business case and be approved by XXXX"

    The committee approving the exceptions is the mechanism to handle your other options.

    • And this is why this was asked of slashdot. It may be possible to improve on the policy which the anonymous coward wrote here, but that is a very good start.
    • by c ( 8461 )

      It's also worth pointing out that there's a lot of devices which allow the bootloader to be unlocked, but then are no longer covered by the manufacturer's warranty. These should be avoided.

    • by Dr. Evil ( 3501 )

      "This ensures maximum flexibility for our department in generating value from the money we invest in our IT hardware."

      That's a big fat loophole. Microsoft and Apple create special deals with universities to "create value". When administrators argue with academics in front of people with budgets and motivated salespeople, it will not go well.

      "We leased 1000, Ipad ++ Desktop Education edition machines for the physics lab. All students now require Apple IDs and must agree to EULAs as part of their acade

  • Why mention Windows? (Score:4, Informative)

    by bws111 ( 1216812 ) on Monday February 29, 2016 @05:40PM (#51610843)

    Other than pure FUD, why mention Windows or Microsoft at all? We have hundreds of servers running Linux that have Secure Boot enabled, and our requirements for the next gen of servers is that the Secure Boot can not be disabled. So don't pretend it is just a 'Windows' thing.

    Dragging MS into it is really childish. A manufacturer that gets a Windows 10 cert has the choice of allowing Secure Boot to be disabled or not. Are you trying to claim that a manufacturer who DOESN'T get an MS certification is somehow prevented from that option?

    • by Trogre ( 513942 ) on Monday February 29, 2016 @06:00PM (#51610943) Homepage

      Simple. Microsoft Corporation holds the keys to your Secure Boot chain of trust. Or did you manage to get someone else to sign your bootloader?

      • Re: (Score:2, Insightful)

        by bws111 ( 1216812 )

        The only reason MS has the keys is because everyone else is too lazy to do it right. We sign our own images, and our key is the only one that will boot.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          False. The reason why MS has the keys is that to have your product certified to run on Windows, this is a must. Same with TPM + TCG 2.0. It was only due to good negotiators on RedHat's part that MS allows their OS to boot, -period- on Secure UEFI computers.

        • URI to howto plz
          • I haven't seen a UEFI that did NOT let you modify the list of permitted signing keys.
            My guess is that Dell and other major OEMs don't let you, but if you require that amount of customization you may as well BE the OEM and build your own, choosing a decent mobo.

            • Dell allows you to use your own keys in the BIOS, at least on a precision workstation from mid-2015, and I assume everything after.

              • Then can somebody point to a desktop mobo that does uefi secure boot and doesn't give the end user key management capabilities?

                • by Anonymous Coward

                  The whole point of this article is that Microsoft used to require all motherboard to allow the user to add their own keys. That is no longer the case. Expect non-user changeable keys in the near future and mandated locked UEFI a couple years after that. Desktop computers will become as locked down as mobile phone. Their mouths are watering at the prospect of renting everyone their computer, but the change needs to be gradual enough that users won't fight back. Tons of people were saying secure boot was

                  • So it's FUD, then?
                    The Taiwanese mobo brands will be churning out mobos with configurable secure boot and PS/2 ports for longer than you care about it.

    • by ilsaloving ( 1534307 ) on Monday February 29, 2016 @06:13PM (#51611027)

      Are you trying to claim that a manufacturer who DOESN'T get an MS certification is somehow prevented from that option?

      I think you misread the question. The question was about requirements for purchasing products from vendors, not telling vendors what they are and arn't allowed to do. (That's Microsoft's job)

      There's nothing childish about mentioning Microsoft explicitly. They were the ones that championed Secure Boot in the first place, forcing OEMs to implement it for certification. Most major linux vendors have the resources to get their boot keys into the database, but smaller distros probably wouldn't.

      Even then, the database is then stored locally in the UEFI, so if there's a Linux distro that's late to the party, they're still screwed with the current generation of hardware unless a bios update is released.

      Additionally, Windows 8 certification mandated that it must be possible to disable Secure Boot (after significant outcry about possible lock-in). But for Windows 10 certification that requirement has been quietly dropped again, once again raising that concern about lock-in.

      The submitter has stated that their guidelines will require any new hardware to have the ability to disable SecureBoot, certification requirement or not.

      The question is, how do you explain that to people who may not understand the technical nuances.

      The easiest way I can think of, is to make sure the hardware provides the ability to install Windows 7 (Just because Windows 10 licensing permits downgrade rights, it doesn't follow the hardware will let you), which doesn't support SecureBoot. If you can install Windows 7, you can anything else you want.

    • by Anonymous Coward

      Because initially (and after much bad press) Microsoft wrote in to the specification that you must be able to disable Secure Boot and you must be able to add your own keys to the firmware.

      They then changed things to remove the requirement to allow either of these things. This will necessarily lead to machine which can only boot via Secure Boot and only boot using binaries signed using certificate bought from MS. The fact that MS could prevent the competition booting either by refusing to provide a key or pr

  • by Anonymous Coward

    As mobile devices and desktops eventually share more in common, it's not unlikely that we'll soon see locked bootloaders on PCs, probably starting with netbook like laptops. I would be more general/generic in the terms.

    "Be it resolved that devices running pre-installed operating systems purchased by the department must have the ability to boot third-party software from local storage, or network if no local storage exists."

  • "Be it resolved that computers ... purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting."

    I would also explicitly exclude "special purpose" computers that your department may purchase for other purposes (e.g. computers that run security cameras, which you may WANT to be locked-down), provided the individual purchase is approved by a review board. I would also allow the

  • by davidwr ( 791652 ) on Monday February 29, 2016 @06:45PM (#51611249) Homepage Journal

    For computers that can be re-purposed or re-sold, the actual residual value after 3 years (or whatever your "time to fully depreciated" is) significantly greater than zero.

    For "locked down" computers, the actual residual value becomes a cost - the cost of having it hauled off as e-waste.

    In cases where computers must be locked-down (e.g. due to a grant requirement), the "true cost" should be the buy-in cost + the ongoing maintenance cost - the residual cost (or ... + the disposal cost).

    By explicitly calling this out in your requisition process, it will make people think twice before applying for grants that require locked-down computers.

    • This brings up a really interesting issue regarding ownership of the computers. Legally, grantees do not own equipment purchased under a grant, but are by tradition (if an academic institution) given custodianship of the equipment at the end of the grant.

      Sale or re-purposing of the equipment as the department is doing may technically be a violation of federal contracting laws (not that anyone will enforce it...).

  • Will someone please tell me why an institutional purchaser ---- particularly in a mixed OS environment --- isn't that all new systems support Secure Boot.
    • by gweihir ( 88907 )

      Secure boot is actually a worth a lot less than most people think. In most cases it will cause more hassle than security increase. It is basically an attempt to lock PCs to Windows (eventually), not an attempt to make users more secure. The idea is that when Joe Ordinary tries to install Linux, additional problems surface and he will give up.

      • by dave420 ( 699308 )

        That is nonsense and I think you know it. At least, I hope you know it, as the alternative makes you look much worse...

        • by gweihir ( 88907 )

          Nice emotional manipulation approach. Of course entirely invalid and unsophisticated in addition. And, quite frankly, if my expert opinion looks bad to you, then

          1) that says certain pretty bad things about you and
          2) I do not care. At all. I do _not_ want to be part of your club-of-morons.

          There are enough morons out there with no clue about security that are also Dunning-Kruger sufferers, i.e. they have no clue how clueless they are.

  • Every year at security conferences, more and more people are showing that once something gets into the secure boot area, it won't ever leave. Nearly every bit of anti-malware in the world won't even detect if something is running in the secure area. Being able to disable it is a security feature. Being able to remove or replace it is even better.

    • by gweihir ( 88907 )

      Indeed. and the reason for that is that it is actually not an attempt to make users and systems more secure. It is an attempt to eventually make anything except Windows problematic or impossible to install. User benefits are somewhere between zero and negative.

  • by Aryeh Goretsky ( 129230 ) on Tuesday March 01, 2016 @02:11AM (#51613045) Homepage

    Hello,

    I would suggest the following amendment to your draft text:

    Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot feature." REMOVING: s for both local hard drive and network booting.

    If you want to put in verbiage saying Secure Boot should be disabled, the language should reflect this in its entirety, not just for what types of devices the computer boots from. Example: A manufacturer who disabled booting from SSDs, USB flash drives or optical media would still be in spec with your requirements, since you only specified hard disk drives and PXE booting in your text.

    Also, keep in mind your requirement is not going to work with Windows 10 Mobile devices (phones, phablets and the like) as UEFI with Secure Boot enabled is part of the requirements for devices running that edition of Windows 10.

    Regards,

    Aryeh Goretsky

  • I don't understand why the university doesn't simply purchase Linux computers from a major vendor like System76? Save money on costly Microsoft licenses by keeping as many machines as possible running Linux and only install Windows where necessary. If negotiated contracts are a factor, then purchase Linux systems from Dell or HP. They do sell them, you know?!

  • > what is the best way to explain the need for this policy to colleagues less technically literate?

    Secure Boot prevents your boot process from being hijacked. Why would you want to disable that?
    With shim and/or preloader and you can Secure Boot any OS that has a UEFI bootloader.

  • "Windows 10 hardware must support Secure Boot and won't have to let you turn it off." - or that sticker can't be used.

    http://arstechnica.com/informa... [arstechnica.com]

In 1750 Issac Newton became discouraged when he fell up a flight of stairs.

Working...