[coreboot] Feedback On Coreboot: the Solution to the Secure Boot Fiasco

David Hubbard david.c.hubbard+coreboot at gmail.com
Sat Jan 5 00:26:45 CET 2013 

Hi Andrew,

On Fri, Jan 4, 2013 at 4:23 PM, Andrew Goodbody <ajg4tadpole at gmail.com>wrote:

> On 02/01/13 19:28, David Hubbard wrote:
>
>> Andrew, Ron, what's your take on http://mjg59.dreamwidth.org/**20916.html<http://mjg59.dreamwidth.org/20916.html>?
>>
>> Specifically:
>> "This is part of Windows 8's fast boot support - the keyboard may not be
>> initialised until after the OS has started."
>>
>
> OK, the feature is deferred initialisation of USB devices until they are
> actually needed.
> Windows 8 is making use of this but it is introduced as part of the UEFI
> spec 2.3.1c.
> This is optional to implement it or not, OEM gets to decide.
> This is in the UEFI spec and can be used by other OSes than Windows eg
> Grub could use it to speed up loading of Linux.
>

I understand.


>
>  4. User is thus *forced* to use Win8's "hold down shift and restart"
>> feature -- adding another barrier before a user can boot her own OS.
>>
>> I think the biggest problem here is that the entire BIOS is made
>> inaccessible, and only if Windows gives permission can you change that.
>>
>
> Well yes and no.
> 1) PS/2 keyboards are not affected, they are still initialised and
> available as normal. Many laptop keyboards are implemented as PS/2 devices.
>

At least AMI BIOS also skips initializing PS/2 keyboards and mice.


> 2) There are a number of ways that you can get USB enumerated and
> keyboards initialised.
>  a) If HDD is not primary boot target
>  b) If primary boot target fails
>  c) If bootloader invokes EFI_SIMPLE_TEXT_INPUT_EX_**PROTOCOL.
> ReadKeyStrokeEx()
>
> So yes, on a motherboard that implements it, with no PS/2 keyboard, with
> the HDD as primary boot target and with Win8 installed then you may have to
> use the Win8 menu to restart into the UEFI settings screens. And yes this
> can be a small barrier to booting using an alternative method for any
> reason, not just installing an alternative OS. But quite frankly I have
> seen some bizarre setup screens on legacy BIOS that made choosing to boot
> from a USB device an exercise in frustration. So this extra step in the
> road to booting an alternate OS is not that big a deal. It can at least be
> documented and is not a hard thing to do at all. Even without this there
> are some machines that boot so fast it is not easy to press the key to get
> to the setup screens at the right time, this may actually give a more
> reliable way to get to the setup screens on those machines.
>

Good point - it could be a more reliable way to be sure the setup screen
comes up.


>
> BTW 1) when you use BIOS above, you actually mean Setup. Setup is an
> application launched by the BIOS to view or change system settings. The
> BIOS is not accessible nor inaccessible, it is running as soon as the CPU
> begins to execute code and will complete its tasks as normal according to
> those system settings.
> BTW 2) its UEFI firmware, not BIOS. Just as coreboot is not BIOS.
>

Ok, fine.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20130104/c25768b0/attachment.html>

More information about the coreboot mailing list