If you install Ubuntu on a computer with secure-boot enabled, then it will probably boot. And maybe that’s all you want.
If so, you probably won’t be concerned about what I am describing here.
However, secure-boot is supposed to verify many of the steps in the boot path. And that’s where I see Ubuntu as broken.
I’m basing this on tests that I have done on Ubuntu-17.04 and Ubuntu-gnome-17.04.
First a brief summary of the problems that I am seeing:
- Ubuntu will boot without checking a signature on the kernel.
- Under some circumstances, Ubuntu will complain about a bad signature, and refuse to boot, even though secure-boot has been disabled.
On one of my computers, I have Windows Vista. I mostly use that computer for linux, but I do occasionally use Windows. For anti-virus, I have MSE (Microsoft Security Essentials).
At present, the computer is telling me that the virus tables are 6 days old.
Although I would prefer to use that computer with linux, on Wednesday, I left it running Windows for around 12 hours. It failed to update the AV definitions. On Thursday, I left it running Windows for 14 hours. Again, it failed to update the AV definitions. On Friday, I left it running Windows for 16 hours. And, again, it failed to update the AV definitions. Today (it is still Saturday local time), it has been running Windows for over 10 hours, and has failed to update the AV definitions.
On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.
This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.
It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.
The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.
I purchased my main desktop for use with linux. But it came with Windows 8 as a discount deal from Dell. So I kept the Windows 8, and added a second hard drive for linux. I did update to Windows 8.1. I kept Windows for experimenting with dual boot on a UEFI system.
My normal usage on this computer is to boot opensuse. But twice a week I boot to windows and update the anti-virus (Windows Defender). Once a month, I also do Windows updates. Then I boot straight back to linux.
What happened today
This evening, I did one of my reboots to Windows. I did a quick virus scan, then went to Windows update. It showed one important update, namely the Windows Defender update.
I have borrowed the title from a post by Bruce Schneier:
I urge you to read that post.
Scheier notes that this is mainly a political problem, but it does have an engineering component. So he calls on engineers to do their part. And one of the things that he wants them to do is report apparent cases of government attempts to subvert the network.
When we boot our computers, what we want to do is load an operating system. Traditionally, we booted devices and it was up to the operating system to work out how to get the system loaded by booting a device. However, UEFI was supposed to change all of that. With UEFI (or Unified Extensible Firmware Interface) the idea is to directly load an operating system without the steps of device booting.
There is, in the UEFI design, a fallback ability to boot devices. This is needed when the operating system is not yet installed, so that booting the install device can set things up. However, this was intended only as a fallback. The main use of UEFI was to be to directly load an operating system.
I have recently posted about a Toshiba system and an HP system, where the manufacturer did not seem to get the message. Both appear to be cases of backward thinking that sticks to the old idea of booting devices rather than operating systems.
Before I delete some comment spam, I thought I might post a sampler for the benefits of readers who wonder what comment spam is all about.
I’ll note that spam has not been a big problem here. Like most wordpress blogs, they are checked by akismet, which does an excellent job of identifying spam. It is set to automatically delete spam on older posts (that seems to be older than 30 days), and to show me spam on newer posts where I can delete or mark them as not spam. I have seen very few posts that I have had to mark as not spam, and I have seen very few spam that akismet did not flag. Clearly, akismet is doing very well. Read More…
I’ll be commenting on those answers to special questions that some banks use.
Yesterday, I logged into my bank site to check the balance. The first page I saw told me how they were going to protect my security. Then I was asked for information. The first item was a phone number. Okay thus far, though I’m pretty sure that they already know that.
The next information was three questions to which I should supply answers. I had some choice in the questions.
Though I mainly use linux, I also use Windows. I mostly have it there for the occasional software that requires it, such as the income tax software that I use to prepare my tax returns. And I usually try to avoid some of the negative hype about Microsoft that we occasionally hear from linux people.
Yesterday, we purchased a replacement for my wife’s desktop. So that was a Windows box. Read More…
[Update 6/13/2012: that interest charge that made no sense was eventually removed]
I arrived back from a little traveling, and found an notice from the IRS. For those not in USA, the IRS is the department of government responsible for collecting taxes.
A message from the IRS is usually not a friendly greeting. And this one was no exception. It demanded that I pay up a chunk of money real soon, or else. Read More…