from the those-who-would-trade-freedom-for-security-... dept.
Although Microsoft has not yet finalized Windows 10 hardware requirements, but at the WinHEC conference in Shenzhen China, they stated that OEMs will no longer be required to provide an option for disabling UEFI Secure Boot in order to receive Windows 10 hardware certification.
For those unaware when Secure Boot is enabled, the UEFI will verify the boot image's cryptographic signature prior to loading and if the signature cannot be verified, the system will refuse to boot; for Windows 8 hardware certification, OEMs were required to provide an option to disable this behaviour on x86 platforms (ARM devices running Windows RT however required that Secure Boot be locked on). Developers and users must have their boot image signed using Microsoft's private key to successfully install or boot a system. Major distributors like Red Hat or Ubuntu have gone through this process, using shim to chainload into a vendor signed kernel. While this allows for stock distro kernels to be used, it would still lock users from compiling and running their own custom kernel, as well as preventing smaller distros such as Slackware from being installed on these systems.
NCommander notes: I heavily edited this before posting as I'm personally familar with secure boot (and UEFI in general), and wanted to prevent this from being overly alarmist.
(Score: 2, Interesting) by Anonymous Coward on Saturday March 21 2015, @02:38PM
Pretty much every version since they added this feature this argument comes up (I remember talking about this in the vista days). Before that it was the TPM stuff of which this is a key piece. I can see the value in having TPM and secure boot enabled. But there is also large value in being able to disable it. As people who like to hack on things. I do not really think they want people breaking the security of this.
As quite frankly it will be cracked and pretty much has been cracked.
https://www.youtube.com/watch?v=4bM3Gut1hIk [youtube.com]
Line level hacking is also getting much cheaper. At the point it does not cost much people will just lift the keys directly out of memory. Then put it thru something like IDA pro. Or worse comes to worse bribe someone in china and get the keys.
https://www.kickstarter.com/projects/coflynn/chipwhisperer-lite-a-new-era-of-hardware-security [kickstarter.com]
Is it a pain in the ass to do? Sure is. Imposibru? Not so much.
Pretty much every time MS backs down as MS knows what the OEMs will do. They probably want it enabled by default but the option there but were not clear. That seems very fair. As that hits the majority of what people expect.
It is a classic mistake people make with encryption. Encryption is not unbreakable. It just slows your attacker down.
(Score: 5, Insightful) by Immerman on Saturday March 21 2015, @04:18PM
That's great for malware, but is a real problem for legitimate distros who don't want to risk running afoul of the law. Because I'm *sure* Microsoft (or one of it's many sock-puppets) will make an issue of it at some point. That's kind of the whole point of this little game, is it not? To secure Windows' dominant position under the guise of security.
Also, I really doubt anyone in China will have the keys, nor do they exist anywhere on the PC to be extracted - that's a blatant invitation to compromise. Microsoft has the private signing key, the motherboard (and manufacturers) only need the public key so that the motherboard can *validate* the signature. That's a very different thing. This isn't like DVD copy protection where every device needs to have the keys to decrypt the content, the content is already decrypted. They just need to be able to validate that it has been signed.
(Score: 2) by NotSanguine on Saturday March 21 2015, @06:12PM
That's great for malware, but is a real problem for legitimate distros who don't want to risk running afoul of the law. [Emphasis added]
And which "law" might that be? I wasn't aware that Microsoft policies were now automatically enacted into law in every jurisdiction around the world. Actually, I wasn't aware that Microsoft policies were automatically enacted into law in *any* jurisdiction.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Insightful) by Immerman on Saturday March 21 2015, @08:03PM
Couldn't say, specifically - but there's a awful lot of laws against circumventing security systems and accessing information without authorization, I imagine at least one of them could be twisted around enough that only the wealthiest distros could hope to survive the lawsuit, even if it eventually proved baseless.
(Score: 2) by frojack on Sunday March 22 2015, @04:13AM
Most Distros have already taken actions to get around this by the method NC mentioned.
If you base your distro on some known distro, you can pretty much get around having to deal with Microsoft by adopting their stock kernel. (Really, these days having your own distro isn't about your kernel anyway, its about your integration of DEs, and package selection and smooth integration.
I suspect that there is zero incentive for a board manufacturer to prevent getting around UEFI with an internal switch or a bios setting. All they do is lose retail sales, and it won't earn them any additional corporate sales. There is no public clamor for UEFI, and very little corporate clamor.
By the same token, all the little guys need do is scream illegal restraint of trade, and microsoft will be forced to set up a system sign their kernels (or their shims) for next to zero money.
No, you are mistaken. I've always had this sig.
(Score: 2, Informative) by Anonymous Coward on Saturday March 21 2015, @11:02PM
> And which "law" might that be?
Anti-circumvention clause of the DMCA.
> law in every jurisdiction around the world.
Doesn't need to be. The fact that the US is the single largest market means whatever the law is in the USA will be defacto law in other countries in the same way that California state law is able to do things like force automakers to ship cars meeting California emissions standards in all 50 states, even when those states have much more lax requirements.
(Score: 2) by NotSanguine on Sunday March 22 2015, @06:19AM
> And which "law" might that be?
Anti-circumvention clause of the DMCA.
Please clarify just that. My understanding of the anti-circumvention clause is that "unauthorized circumvention" carries criminal penalties. If I own the device, then I am, de jure, authorized go modify *any* configuration of the device.
Are you making a claim that I, as the owner of a piece of hardware, am not authorized to modify its configuration and, by doing so, am guilty of a felony under that DMCA?
Please note that it is my understanding that while some software that may be distributed with a device I purchase may be licensed to me (e.g., the operating system) and, as such, may be subject to DMCA anti-circumvention provisions. However, I (unless there's a lease or rental deal) own the hardware, which includes embedded firmware. Are you saying that's not the case?
If that's your claim, I'd like to see some detail as to where that is stated in the DMCA, and any relevant case law.
I request this from you because you're making an extraordinary claim that does not appear to track with any law I'm familiar with. Please advise.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Informative) by Anonymous Coward on Sunday March 22 2015, @12:40PM
The DMCA is an awful piece of garbage that infringes upon our fundamental liberties, so I wouldn't even be surprised if it does as you suggest. The courts and lawmakers are firmly on the side of the corporations.
(Score: 2) by mtrycz on Saturday March 21 2015, @08:10PM
To secure Windows' dominant position under the guise of security
Will anyone ever believe that?
In capitalist America, ads view YOU!
(Score: 2) by frojack on Sunday March 22 2015, @04:19AM
Will anyone ever believe that?
Enough people already believe it to make it difficult to find a new motherboard or computer without UEFI hard to buy.
So yes, people will believe it. They already bought the tee shirt.
No, you are mistaken. I've always had this sig.
(Score: 2, Insightful) by Anonymous Coward on Saturday March 21 2015, @02:39PM
"I dub all unswitchable hardware: disposable"
There should be a permanent shitlist pinned to the top of this site with [the name of] any vendor that promotes this scheme for "PCs". Microsoft's long-time disruptive technology shark in the water was that they promoted a platform that was just open enough to let techies (and 3rd party vendors) on a budget customize the systems however they need. This is the essence of a "personal computer", for the MS camp at least. Now MS has jumped their own shark.
Their tepid claims of being FOSS-friendly are being shown as ultimately false. Like Apple, they still won't incorporate open A/V formats into their products and their OSes will tell you an inserted Linux-formatted volume "must be formatted before use". Heaven forbid if I ever give an EXT3 formatted flash drive to an Android user, and they decide someday to look at it with Windows.
They are similarly hostile when it comes to Linux multiboot setups. Its wilful negligence that still reigns in Redmond and must be fought with tooth and nail to gain any concession. And how necessary for security are these firmware-level lockouts?? They are not! Qubes OS employs a scheme that, in combination with a TPM, prevents a computer from being able to reproduce a chosen passphrase if its been tampered-with. No doubt, the MS excuse will be that the consumer or administrator can't be bothered to remember a sentence to verify system integrity.
I suggest rallying around vendors such as this one--"https://www.crowdsupply.com/purism/librem-laptop" . Eventually, we should pressure the market to open up the whole damn stack; we will probably be forced to!
You can currently cryptographically sign a Linux kernel to secure boot, You can install them alongside, or overwrite the windows signature (keep in mind, these keys are your new keys to the windows os. It's not truly keyless, so I would suggest add them alongside.) but most I.T. guys aren't even smart enough to know how it's done. It's no easy task even for Linux people. I currently make 6 figures in a support job and it was difficult for me. I've attempted it only once and was successful, but it is so NOT user friendly even to smart tech people. I would go as far as to say that even less than 1% of people will ever do it.
The other hassle is, if you ever update your kernel in Linux which happens way more than in Windows, you have to re-sign against the new one and re-add the keys all over again alongside or overwrite. However, I still have the ability to do it, and that's what's important.
Make no mistake, this is a literal and direct attack on Linux . OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off . This is Microsoft's attempt at the final nail in the coffin of Linux!!
(Score: 5, Insightful) by Nerdfest on Saturday March 21 2015, @02:43PM
I'm pretty sure most of us saw this coming. They'd insist it be locked on if they weren't worried about monopoly abuse.
(Score: 3, Insightful) by The Mighty Buzzard on Saturday March 21 2015, @02:59PM
Meh, it's really no big deal. Motherboard makers have long created slightly overpriced specialty motherboards for hobbyists that let you do things like overclock or plug way too many video cards in. This will be just another "feature" they can charge for.
My rights don't end where your fear begins.
(Score: 5, Insightful) by Immerman on Saturday March 21 2015, @04:00PM
Correction: it's not a big deal for dedicated users of alternate OSes, who will indeed just buy one of those specialty motherboards.
But think back to the first time you tried Linux/BSD/BeOS, etc. Were you a dedicated user? Would you have been willing to replace your generic motherboard with a specialty one in order to try out something new? I certainly wouldn't have.
Having the majority of PCs locked down means that the vast majority of potential new users will never try out alternate OSes in the first place. Hell, I've converted dozens of people to happy Linux users on the basis of "Sure, I can de-bork your Windows PC for $100, or I can slap Linux on it for $20 - if all you do is web and maybe a little wordprocessing you'll hardly even notice the difference: take a look at mine". If instead it required a complete motherboard replacement then probably none of those people would have converted, and the ecosystem would cease to grow.
It's not a huge problem *today*, but it could be the death-knell for alternative OSes in the long run.
(Score: 3, Disagree) by Hairyfeet on Saturday March 21 2015, @05:19PM
The answer is simple...buy AMD. Asrock (which is now part of AMD) has been making really good AMD gamer boards that start at $54 after MIR [newegg.com] and that gives you crossfire, USB 3, and SATA 6. They are nice boards, I have built several and was impressed enough my youngest is rocking one of these with an FX8300, its a really good solid board.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 4, Informative) by Immerman on Saturday March 21 2015, @08:05PM
That's great if you're already a user of an alternative OS, but it does absolutely nothing for the vast majority of people who just want a PC, and then heard about this Linux thing and wanted to give it a shot. Nobody is going to go out and buy a new PC just to see what all the Linux fuss is about.
(Score: 2) by Hairyfeet on Saturday March 21 2015, @10:31PM
Then you aren't caring enough about Linux to get it, now are you? You can build your own box, you can get an ARM mini, ultimately (and boy will this piss off the FOSSies) but its NOT the job of the OEMs to cater to you, if you don't bring anybody enough business to be worth the effort! Hell I would like AMD to be building 24 core dual socket gamer boards BUT since there aren't enough people that care about having 24 cores in a gamer board? Its just not gonna happen.
Likewise Linux users have such a small share they are lumped into "other" [netmarketshare.com] so you can't expect anybody to give a crap if you are unhappy with new designs, "they are not FOR you" as one Apple user told me. BTW this may be petty but fuck it, allow me to do the dance of moral superiority as I TOLD YOU SO, I told you that years of "works for me!" and pretending all the bullshit didn't exist, I told you that going "herpa derp, as long as it works for me I don't care about marketshare, derpa de do" would come back and bite you square in the ass, now allow me to say HA HA HA HA HA! You are about to be locked out of more than 70% of X86, You have Google about to beat the shit out of you and take Android proprietary [arstechnica.com] a trick I believe the FOSSie faction call a "EEE", and I want you all to take a good look in the mirror and realize YOU BROUGHT THIS ON YOURSELF.
Years of arrogance, years of thinking just because X86 (by a fluke mind you, if Intel had had their way X86 would have been locked down way back in the 486 days) was open you'd always have a platform, and years of "chosen one" elitist bullshit that allowed the community to let Torvalds and friends slide over and over instead of holding their feet to their fire and demanding they compete with the other two....you brought it upon yourself. You now have numbers so low nobody cares if they lock you out, you are royally screwed when if you had just bothered to fucking STAND UP and demand better? You would not be backed into the corner.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Saturday March 21 2015, @11:05PM
Woooosh!
There, I saved Innerman the effort of posting it himself.
(Score: 2) by frojack on Sunday March 22 2015, @04:35AM
Then you aren't caring enough about Linux to get it, now are you?
Gee thanks. Hairyfeet to Microsoft's rescue yet again.
People already have computers. And when they get tired of the long march to Windows 10, and decide to load something else, your only advice is "You don't care enough if you aren't willing to start from scratch".
My kid learned linux on recycled older machines. It cost him Postage to have Ubuntu mailed to him.
I actually think its time for the FTC to step in and ban the import or any computers without a UEFI defeat. Even if it requires the removal of a part, or issues an on screen message. Its clearly a power grab by Microsoft, and it provides no real security.
No, you are mistaken. I've always had this sig.
(Score: 2) by Hairyfeet on Sunday March 22 2015, @07:53AM
And why EXACTLY should myself or the OEMs care? They aren't a charity, Dell sold Linux units and didn't get enough sales to even make a blip on the radar so the evidence is clear...you don't care enough to support them so they are under NO obligation to support you!
Oh and I just love how its "coming to MSFT rescue" to point out that there is this thing called capitalism, and if the majority buy X? Nobody gives a rat's ass about Y, especially when Y is full of arrogant assholes with ZERO reason to be arrogant and with marketshare less than a 15 year old XP. Ask those that bought Diamond Rio players how much support they get, hell ask all those that bought Zune players how many peripherals are made for them now.
This is capitalism, and its NOT THEIR JOB to support your dumpster diving, don't like it? Tough. I predict within less than 5 years Linux will be consigned to a ghetto, HTML V5 DRM will cut off the web to Linux, Secureboot will cut off dumpster diving, all that will be left is weak sauce ARM dev boards...sorry, should have listened, should have told the distros to get their shit together, now its too late and you're BeOS.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by Freeman on Monday March 23 2015, @05:36PM
A Raspberry Pi is a very cheap and good option for someone who just wants to try out this Linux things to see what it's about.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by urza9814 on Tuesday March 24 2015, @02:49PM
Ehhh...I love my Pi, but it is definitely NOT a good platform for trying out Linux. It's more like a LEGO brick than a PC. It's great as a remotely controlled media center or server of some sort, but trying to use it with an actual graphical interface is incredibly painful. And trying to browse the web on that thing is worse than using dial-up.
Chromebooks are good for trying Linux. Unfortunately, I haven't had much luck getting it to load on the one my girlfriend just bought. Can only get Ubuntu or SUSE to load*, the rest I put in a live disk and the damn thing acts like it isn't even there. Only recently realized the problem might be UEFI, now I gotta try to figure out how to turn the damn thing off. It's an Acer Aspire E15 if anyone has any suggestions.
* She HATED SUSE -- not surprising, bad choice on my part. Tried to connect to the Wifi, menu pops up asking if she wants to encrypt that password with Blowfish or PGP, and she gave up. Ubuntu she liked but she wanted the dock on the *right* side and those morons at Canonical apparently can't figure out how to make that configurable I guess. But she's finding new flaws in Win8 every single day. She did seem to quite like ElemetaryOS when I showed it to her in a VM; unfortunately I still can't get the damn thing to even boot on her laptop...
(Score: 2) by Immerman on Saturday March 28 2015, @02:40PM
I'm rather fond of Ubuntu myself, except for that %$#@! dock bar. My solution? Configure the dock to auto-hide to the top-left corner with a very low sensitivity (using TweakUI) which makes it essentially unreachable except by hitting the Windows/Super key. Then add a vertical xfce4-panel in its place, which is arguably the most useful and configurable panel I've encountered to date. Though of course you could use any other dock/panel instead.
Personally I have it configured to display three columns of "book spine" style window buttons (since I like having the titles visible) along the top ~80%, with Whisker Menu installed in the lower-left corner (fairly Windows 7 menu-ish) surrounded by a 3x3 block of other useful shortcuts and menus: Clipman to list all my recent clipboard contents, and Places to get a recent documents menu round out the bottom row (all three are extra plugins added with Synaptic) and then a couple Directory Menus pointing at the folders I use most often (with file pattern set to *.* so they show files as well as folders), and a handful of launchers for my most frequently-used programs.
(Score: 3, Insightful) by Nerdfest on Saturday March 21 2015, @05:42PM
... and for laptops?
(Score: 5, Insightful) by darkfeline on Saturday March 21 2015, @06:34PM
The day freedom of choice becomes an extra paid "feature" is a very bad day indeed.
Join the SDF Public Access UNIX System today!
(Score: 2) by Subsentient on Saturday March 21 2015, @02:55PM
I'm just lucky all my machines are too old to support UEFI. I can boot the copy of my homebrew SubLinux I keep on my keychain on most systems by disabling secure boot, but I don't have a bootloader that can even boot EFI, much less secure boot!
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 0) by Anonymous Coward on Saturday March 21 2015, @04:12PM
so a updating from Windows 7 wouldn't have this UEFI nonsense?
(Score: 2) by mtrycz on Saturday March 21 2015, @08:27PM
If your machine *has* UEFI, it will still have it, if it *hasn't* it won't magically appear.
There's an option on most (all?) BIOSes to enable/disable UEFI, if you want.
What this article means, is that, in the future, OEMs will not be required to make UEFI diableable (that sounds funny). So you may end up with a Windows-only system, unless you go great lenghts with manual configuring.
In capitalist America, ads view YOU!
(Score: 1, Troll) by Anonymous Coward on Saturday March 21 2015, @03:49PM
I must have missed the legal precedent preventing you from running computer software on a computer you legally own? So all you do is send a copy of your custom kernel image to Microsoft and instruct them to sign it. We do of course have to be fair and reasonable -- 48 hours after the initial request is an adequate lead time before commencing legal proceedings.
(Score: 5, Informative) by melikamp on Saturday March 21 2015, @04:52PM
You must have. Here is the skinny: https://en.wikipedia.org/wiki/Anti-circumvention#United_States [wikipedia.org]
(Score: 2, Informative) by Anonymous Coward on Saturday March 21 2015, @05:52PM
You can partially thank Sony for taking people to court for cracking the PS3 because they wanted to run software on a computer they legally owned. Really, you're pretty far behind on the times.
(Score: 3, Interesting) by linuxrocks123 on Saturday March 21 2015, @03:57PM
Can you use the firmware to enroll your own keys not signed by MS? If so, this is still inconvenient, but not a real problem.
(Score: 4, Interesting) by Rich on Saturday March 21 2015, @05:12PM
What a convienient coincidence that Intel has just introduced a BIOS lock feature that prevents UEFI being replaced with coreboot :)
But then, the dime-a-dozen ARM boards have reached the performance levels that are sufficient for everyday computing. So if the insanity levels in the Wintel-also world move from "annyoing" to "painful", the FLOSS crowd might just shrug their shoulders and move to a Raspi or one of its relatives for some of the spare change in their pockets.
(Score: 4, Informative) by edIII on Saturday March 21 2015, @07:37PM
That's what I just did in the last couple of months. At first I raged, but then I got the message:
We at Intel, have decided together, in a purely impartial manner to the markets, that Microsoft's DICK is replacing the shareholder as our primary purpose for existence.
My little rant aside, it's so bad, that you cannot even trust Intel's documentation on the matter. Spend 20 minutes tracking down documents on an Intel NUC, and you can find vague assertions of reports of Linux distros working. Yet, on the websites selling the products they completely fail to mention the total lack of ability to boot Linux. Or worse, they will claim Linux support that doesn't actually exist. You can be careful and research your product well, and still get burned when it arrives.
Then I calmed down and remembered that the whole purpose of me purchasing a computer was to run the software I wanted. For whatever reason, Intel has decided it no longer wants me as a customer. Weird. Moving on.....
Now that it's too *risky* to purchase something from Intel (I don't want to find out I can't install Linux after purchase), I've been looking at designs for running distributed computing with low power boards. I'm not actually a heavy gamer, and as such I need far less high performance in one localized system. Synergy [synergy-project.org] allows me to control a group of different running OS on different hardware under the illusion of a single system. With XMLRPC, and a little elbow grease, I bet we could even get complex windows and data objects passing between systems (shifting between websocket'd browsers, not native apps necessarily). Although Synergy already provides the basic stuff you would want like clipboard and file sharing. In any case, it's an adventure now for me.
I've come up with a number of pretty interesting projects now for my personal and professional workstation needs, now that I cannot count Intel as a manufacturer I can source product from. One of the things I am looking forward to the most, is the natural silence. Distributed computing like this means less power, less heat in one spot, fanless...........
I'm somewhat curious what will happen the next time I decide to buy a large server based on Intel stuff. Perhaps, they won't be so brave to kill the data center markets for their products. We all well know that the majority of data center computing isn't switching back to Microsoft servers just because you can't source server products from Intel. An exodus is exactly what will happen, from exactly the wrong demographic, away from Intel and actively hostile now against Microsoft. That's not an appeal to emotion. I can't *afford* the millions of dollars in licensing fees and code development to shift the stuff I work with back to Microsoft, nor anyone I've worked with. That's setting aside personal and ideological positions too. Logic and reason dictates Intel is going to keep the enterprise level stuff unlocked, so this is purely an attack on the personal computing markets and Linux.
Intel is really screwing up in choosing Microsoft to lock up the market by locking themselves out of almost every single new innovation coming out of the communities on a go-forward basis. I think I'm going to make something pretty damn awesome with a bunch of Soekris boards, Raspberry PI boards, OpenBSD, and a few flavors of Linux for laughs. Who is going to de facto choose Microsoft again as a hobbyist, hacker, or professional? How will Intel remain relevant with those communities pushing innovations when Microsoft is the OS? It's not like Microsoft is highly relevant today in any kind of DIY project, and now they are trying to take Intel down with them in these communities. LOL, it's *working*. I just purchased my last Intel board for personal use, and am looking at distributed computing with their competitor's products. *golf clap*.
Wait... It get's funnier for Intel. If I decide I *still* need to run a Microsoft OS for whatever reason, I will choose their competitors in case I ever want to run Linux on it afterwards. Which is guaranteed too, since once it's decommissioned as a workstation, it spends the rest of it's life a server. So they've sold their soul to Microsoft for the lockdown capabilities, and Microsoft is the one left with the hope for money from my wallet? What happened? Wut? :D
I haven't shrugged my shoulders, as much as I have bitched loudly, but you got one thing right. I moved on from Intel to Soekris and Purism.
(Score: 2) by danomac on Sunday March 22 2015, @04:38PM
I own several NUCs and I've never heard anything about this. However, I run gentoo, use distcc, and roll my own kernels - and this is probably the source of the problems that the binary distros have. I do recall that very early on, running an earlier than a specific kernel version the display performance was abysmal. They addressed this with fixes in the Intel video driver (in newer kernel versions) and a BIOS update. Another thing I remember off the top of my head is that while the NUCs support legacy booting, you must use EFI booting (which I do using grub2) in order to get access to all the features - a primary one was audio over HDMI.
(Score: 2) by edIII on Tuesday March 24 2015, @02:10AM
I've tried two different Intel NUC's, both of them DN2820FYK. I wanted to find the cheapest, and still reasonably performant little system for embedded devices. I was admittedly quite stupid at choosing it simply because it really did look awesome. Something I can see myself giving to a client. I got rightly nailed for going for pretty over actually-functioning.
Intel NUC encompasses more than one model IIRC, so it might not be the *entire* NUC line. Although, I'm almost nearly positive that we can entirely right off the chipset behind my model. That's not my feelings entirely, but what I kept reading from others in forums wrestling with that Centrino chipset behind my model. I kept researching it, and I did notice it "claimed" Gentoo support. I tried CentOS 6, CentOS 7, SUSE 13.2, FreeBSD, NanoBSD, and OpenBSD. All while trying legacy booting, not EFI. No luck on any one of them. Ubuntu and Redhat are the only ones that I think have paid the extortion price and had MS sign their keys, or have figured out how to get it signed and put on the boards by Intel. So while it was technically possible to get *a* Linux operating system on it... it's not exactly what I would call a success or a "feature", especially when I can't get the distros I've actually used for 10 years to run on it. I don't have any familiarity with Gentoo, or how well it could be used for embedded devices like my use case either.
After researching it more heavily, it might be possible to secure my own kernels, but that's a lot of work man. A lot of work, and none of it user friendly for anything less than a 11/10 technician. Also, I would need to roll my own keys for every single modification of the kernel right? So how are kernel updates possible with EFI? It seems like a great idea, but since I have no real control over UEFI, I don't see it as a viable security feature. It currently only stops me from loading software, which is an indirect way of saying it doesn't approve of FreeBSD, NanoBSD, or OpenBSD.
If you really know anything about this I would encourage you to write a wiki or a blog detailing on how you can secure your own kernels, and then get them up and running under an UEFI secured system by adding the keys manually. I would absolutely use it in a split second if I knew I could manage it personally. It's all about whether or not the control rests with the property owner IMHO, and it doesn't rest with me now and that little %^&*#&^$ gorgeous waste of technology on my desk.
As for me, I already gave the unit away to somebody else that wants to run Microsoft on it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by danomac on Tuesday March 24 2015, @04:27AM
I have two DN2820FYKH0 running linux (Gentoo) right now. They are both connected to TVs, running primarily as a MythTV frontend (these are great as a MythTV's frontend!) They both can spawn XBMC/Kobi as a menu option in MythTV, as the interface for XBMC is much nicer than MythTV's video library.
Yes, I found out the N2820 kits may have revised processors on them. While they are all N2820-based, Intel has been putting the revised N2830 in the N2820 kits without changing the labelling.
Both of my N2820s had a very old BIOS version, there was even a leaflet inside the box saying update the BIOS before you do anything, which I did. I did power up my NUC to check a few things for this post, but I forgot to check the BIOS version I'm currently using. I updated both to the latest BIOS ~3 weeks ago.
Also, there was a known issue with specific kernel versions and the Intel drivers included in them - fortunately I knew about this before I attempted to install anything. This is where binary distros got burned, they're usually a few kernel versions behind and it's most likely one of the causes of your issues.
This is most likely the problem. I read somewhere in Intel's documentation online that unless you boot using EFI, you will not have full access to the hardware. However, UEFI Boot != Secure Boot. Secure boot likely requires UEFI booting (I haven't looked into much detail with it), but the converse is not true. While I am booting in UEFI, both of my NUCs have the Secure Boot setting disabled. All I had to do was install grub2 in EFI mode, which requires a boot disk that can boot with EFI enabled. I used one of Mint's 64-bit boot disks for one installation, but I discovered SystemRescueCD boots in UEFI as well, and used that for the second install. I installed Grub2 using Gentoo's wiki [gentoo.org] as a guideline, as I'd never attempted it before. I also partitioned using GPT.
I've put my kernel .config for the N2820 on pastebin [pastebin.com], if it will help someone else. Big note: This is specific to the gentoo-sources package in Gentoo, and so there will be some Gentoo-specific items in it. However, the relevant hardware is in there, and I figured posting the whole thing is better than just bits of it. You generally configure and build your own kernel in Gentoo, on binary distros most users just use whatever was packaged with it. Intel constantly updates the drivers in the kernel (all of them, display, mdraid, etc.) so the newer kernel, the better.
As I mentioned, there's no need to do this.
Can you borrow it back? ;-)
In closing, other than using GPT partitioning, and installing grub2 in EFI mode in order to boot, I did no other special configuration other than enabling vaapi for all packages. Both of my NUCs have no issues playing back both 1080i and 1080p with hdmi passthrough using mpv with vaapi support.
Here's some other tidbits:
Also, if you use Gentoo, these are not exactly fast at compiling from source. I set up distcc to speed things along.
(Score: 2) by hendrikboom on Saturday March 21 2015, @07:49PM
Do you know of a viable ARM laptop?
The ones I've seen are Chromebooks, starved on (so-called) disk storage.
The Chromebooks with real hard drives all seem to run intel.
-- hendrik
(Score: 1) by Rich on Sunday March 22 2015, @01:25AM
Do you know of a viable ARM laptop? .. I've seen .. Chromebooks, starved on (so-called) disk storage.
Unfortunately not. I recently did a search, but nothing great came up. Chromebooks are obviously starved on local storage to lock their users into an online storage service. There is the (in)famous Yeelong Lemote (of RMS fame), which runs a totally free stack, but on a completely underpowered MIPS at silly prices.
I, for now, am a lazy person and stick to the old black IBM-originated stuff (read "used T60"). Dirt cheap, built like tanks, fine displays (in their hi-res-variants), and still performing well enough for most everyday tasks with their 2+GHz Core2Duos. Occasionally a part craps out, but every bit of trouble can be sorted by hacking the relevant FRU number into a brower search box. Finally that embossed Paul-Rand-"IBM" branding on the Richard-Sapper-Tizio-looks-compatible box is a bit of a nice fashion statement between cognoscenti, isn't it? Lenovo have so wasted what was left of their street cred between Superfish and the BIOS lock.
Mid-term, I'm not sure what the market will bring. If all acceptable "new" options would disappear, might there be a boutique market for "Frankenbooks"? Solid case, IPS-antiglare LCD, new SOC innards? (Just thought about the idea of a bastardized IBM 701, but these are so rare and expensive now that slaughtering them seems unacceptable...). Or will the "new" options stay even for Intel, because by now there are thousands of vertical market applications where field technicians need specific Linux setups?
(Score: 2) by NCommander on Sunday March 22 2015, @11:45AM
On the chromebook front, I'm thinking about getting one to replace my antique of a laptop, but the storage situation frustates me as well. THat being said, its got SD slots and USB slots, so expansion isn't a dealbreaker. Slotting in a 128 GiB SD card [amazon.com] is pretty affordable. I had a Chromebook 11 for awhile, which didn't have an easy to tweak bootloader, but should be possible to convince whatever kernel you boot to start from that instead.
Still always moving
(Score: 2) by hendrikboom on Saturday March 28 2015, @07:07PM
I've currently got a laptop with about 150G. I'm in process of replacing its disk with a terabyte drive.
The thing is, I can do it on my EEEPC netbook.
I'd have a hard time doing that with a chromebook.
(by the way, does anyone know a reliable way to copy an existing WIndows XP partition to a new drive so it will still boot? I'll sacrifice Windows if I have to, but you never know -- I might need it for something in another year or two.)
-- hendrik
(Score: 2) by NCommander on Sunday March 29 2015, @03:25AM
Make a backup first, then run sysprep on it, then raw copy the image to another PC with something like Ghost or dd. sysprep resets Windows XP back to "Out of the Box" mode, and it will rerun all the first-boot setup and configuration. If the copy of Windows installed was an OEM version, you might have to do some pain to get it to activate.
(assuming MSFT will even activate XP anymore)
Still always moving
(Score: 2) by hendrikboom on Sunday March 29 2015, @08:56PM
Will dd copy the partition in a useful way even if the block size of the new drive is different from that on the old drive?
(Score: 2) by NCommander on Monday March 30 2015, @01:26AM
THe easiest way is dd if=/dev/*old drive* of=/dev/*new drive*, which will copy the partition table exactly. I believe ntfsprogs has something to resize NTFS partitions, or parted itself can do it. Failing that Windows diskpart* to resize the partitions to fit the new drive.
* - I'm not 100% Windows XP's diskpart supports NTFS resizing. You could use a WIndows 7 boot disk though to do it.
Just remember to set the new computer to use BIOS booting, and not UEFI booting (which is the default on almost all machines).
Still always moving
(Score: 4, Insightful) by Balderdash on Saturday March 21 2015, @05:19PM
Replacing the Microsoft SecureBoot key with my own PKI key is perhaps #3 on the list of things I do when configuring a new computer before ever installing a hard drive or OS - following enabling vPro AMT and then the BMC manager if present.
If I am unable to replace the master SecureBoot key with my own, that machine is getting packed up and sent right back to the OEM as defective.
I only buy OEM systems for work and build systems for home use. But the HP account for work sees a couple hundred computers a year, which isn't all that many when speaking "volume purchasing", but will instantly become zero if they choose to lock me out at the BIOS level.
It's already annoying enough that they ship hard drives completely unsuitable for use and requiring formatting (we aren't large enough for custom disk images or custom SLIC BIOS entries yet) - but at least this is only an annoyance and not out right sending defective equipment, which is the only possible definition for locking you out of the system at the firmware level and not allowing any OS to boot.
(By "any" I don't mean less than one, I mean literally any OS)
I browse at -1. Free and open discourse requires consideration and review of all attempts at participation.
(Score: 1, Interesting) by Anonymous Coward on Saturday March 21 2015, @05:44PM
I'm not clear on the issue as it applies to BIOS based computers. If you don't have UEFI, does that mean you can't use Windows 10 or does that mean you can but this nonsense doesn't affect you? Some articles I've read on the web seems to suggest that you can't install 10 on a BIOS machine. If so, how does MS plan on upgrading all those gazzillion computers that don't have UEFI?
(Score: 0) by Anonymous Coward on Saturday March 21 2015, @10:33PM
All computers that have ship with Windows 8.x will have UEFI. I suspect many that shipped with Windows 7 do too, though maybe not. I can say that I installed Windows 10 preview build 9926 on an older HP laptop without UEFI. Requiring UEFI may only be something that applies to OEMs, if it is required for all installs then it may not be until later builds perhaps even the final release that they enforce it.
To be clear, this article is about what Microsoft requires for it to certify hardware for computers shipping with Windows 10, not what Windows 10 itself will require to be installed.
(Score: 3, Informative) by arashi no garou on Sunday March 22 2015, @01:07AM
To be clear, this article is about what Microsoft requires for it to certify hardware for computers shipping with Windows 10, not what Windows 10 itself will require to be installed.
Thank you! I wish more people would understand this. I've been reading BS spreading all over the web by so-called "experts" claiming that by installing Windows 10, your formerly disabled Secure Boot will suddenly become magically enabled and locked on. It's this kind of moronic disinformation that's hurting, not helping GNU/Linux and other OSes. Others are claiming that Windows 10 won't install on a PC that Secure Boot can be disabled on; again, deliberate or ignorant misinformation.
For anyone else who still has their head firmly attached to their own rectums: Microsoft is not forcing OEMs to lock Secure Boot on, Windows 10 will not magically render your PC unable to boot other OSes when you install it, and the ability to disable Secure Boot has absolutely no bearing on whether you can install Windows 10 or not, so stop with the motherfucking FUD already, assholes!
If you are serious about running GNU/Linux or any other non-Windows OS, stop being so fucking lazy and do your damn homework before purchasing a system! Don't just assume that any piece of hardware will work with alternate OSes. Even if a computer boots GNU/Linux, there may not be a driver for some component yet. This is no different. Buy for your OS of choice, don't blindly purchase the cheapest, ugliest piece of throwaway shit on sale on Amazon and just hope that it will work, or you're guaranteed to have a bad day. That was true in 2000, it was true in 2010, it's true today and will be tomorrow. Bottom line: PCs have always been and will always be designed for the OS with the largest market share. Right now that's Windows. Maybe the day will come when GNU/Linux or a BSD or fucking Haiku (praise the gods) will be the dominant PC OS. But until that day, you're a blithering idiot if you build or buy a PC on hopes and dreams alone. Research, study, learn. It's not fucking rocket science.
(Score: 0) by Anonymous Coward on Sunday March 22 2015, @03:49PM
Faith in astroturfing restored!!!
(Score: 2) by arashi no garou on Monday March 23 2015, @01:35AM
What astroturfing? I'm serious: If you're going to say something like that, back it up. Otherwise you're just another baby troll with no concept of reality.
(Score: 3, Informative) by unitron on Saturday March 21 2015, @07:53PM
..."For those unaware when Secure Boot is enabled, the UEFI will verify the boot image's cryptographic signature prior to loading and if the signature cannot be verified, the system will refuse to boot..."
actually read
"For those unaware, when Secure Boot is enabled the UEFI will verify the boot image's cryptographic signature prior to loading, and if the signature cannot be verified, the system will refuse to boot..."?
Which is not to say I'm not likely to be aware when Secure Boot is enabled, or even likely to know if a particular motherboard has that capability in the first place.
something something Slashcott something something Beta something something
(Score: 2) by wonkey_monkey on Sunday March 22 2015, @06:24PM
Nope. It actually does read your mind and only verifies the signature if you're not aware that it's enabled. It's quantum!
Or something.
systemd is Roko's Basilisk