Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Last year, before it was certain that Lenovo actually would fix my laptop, I was talking to a Linux kernel developer about what we could do to get Linux booted on these machines without any help from Lenovo.
- Linux could support the BIOS fake RAID mode that these machines default to in order to trick Windows into loading an Intel storage driver with a better power management policy than the generic Windows driver, but there'd be little point since it wouldn't affect power management on Linux either way (which is better than Windows 10, if you were wondering, and I'm guessing that in addition to Linux efficiency, the spyware that comes in Backdoors 10 probably drains your battery too). In fact, while my fight with Lenovo raged on, Intel just happened to dump a bunch of driver code on the Linux Kernel Mailing List (like a flaming bag of dog shit) and ran off. Coincidence? As Yogi Berra might have said, it's too coincidental to be a coincidence. Anyway, it was rejected because it was "Too ugly to live." to quote a Linux storage subsystem maintainer, and likely to cause data loss. (And this is the mode you're in when you run Windows from the factory!).
- I noticed that the Windows Boot Manager was loading from the EFI system Partition and obviously that doesn't have any storage controller drivers because it's too early in the boot process. That's when it struck me that it probably didn't need any because uEFI Boot Services could access the disk using its own driver because it IS the firmware. So I asked Matthew Garrett if GNU Grub (the de facto Linux bootloader) did the same thing. He said it did. I asked if Linux, once running, could reset the storage controller and bring it back up in AHCI mode after Boot Services exits. He said yes, in theory, it could, but he'd have to check Intel's documentation to see if it was allowed. He never did get back to me.
- It ended up being a moot point since I went after Lenovo with the media and the Illinois state government and they got a patch out real fast once the government started sniffing around. They even sent a letter to me through the Attorney General apologizing for the inconvenience and asking if I could verify that Linux worked on my computer and close the case with the AG's office.
- One of the "advantages" of uEFI is supposedly that it has drivers for all of the basic hardware on the system. The downfall is that they're basically garbage. Theoretically, you could rig Grub to never call exit boot services and Linux could say "Hey! I'm a bootloader! Gimme your drivers!". Why doesn't it do that? The uEFI drivers SUCK. The performance is awful and, also, if you accept the way the firmware handed you the hardware, you don't know exactly what state it's in, so there could be data loss and bugs that you didn't anticipate. So yes, it has them, and no, you can't use them because of reasons. Also, for things like the video, the firmware brings it up in the most basic way possible and expects the OS to reinitialize it properly later.
- I noticed something strange when I booted up an openSUSE Tumbleweed last night.
- They signed shim with both Microsoft's key and their own and my BIOS asked me if I wanted to add openSUSE to the Secure Boot trusted key list.
- Lenovo seems to have been up to more fuckery than I originally noticed last year, and disabled the user's ability to configure uEFI Secure Boot Custom Mode, but the BIOS still prompts you for a yes or no and will add the key if you say "Yes".
- The only way to get rid of the keys you've added are to go into the BIOS and select "Restore keys to factory settings.", which deletes everything but Microsoft's.
- The uEFI specification doesn't MANDATE that Custom Mode be available for the user to set up, and nothing in the Windows sticker program (that vendors have to comply with to get bulk OEM Windows license rebates) says it has to either, so Lenovo grayed all of the settings out to keep fucktards from going into their BIOS and accidentally deleting Microsoft's key, which the Custom Mode specification says you should be able to do if you want to.
- The only settings that Microsoft mandates for the Windows sticker program are:
- 1. uEFI Secure Boot must be on by default, but owners of x86 PCs must be able to turn it off completely.
- 2. Fast Boot must be enabled by default (saves a few seconds by telling the BIOS not to bring up the keyboard and USB ports / Makes sense if you only want to run Windows because the OS has to return them to their initial state and then bring them up again. Makes sense for Linux too on my computer, because of the Nova Button, which you can press with a pen and get to a special menu that lets you enter the BIOS setup or boot menu.).
- 3. There is a mandate that laptops with an nvme solid state drive have to use fake BIOS RAID to trick Windows into loading an Intel RST driver with a better power management policy than the Windows generic driver. Lenovo extended this originally and locked it to that mode, which prevented Linux installs, but I went after them in the media and with the state of Illinois. First they refused to let the user put the storage mode into AHCI mode, but they reversed course once they got a letter from the Illinois Attorney General's office regarding my complaint and they realized that they could end up being forced to buy back or otherwise compensate users who couldn't install non-Windows PC operating systems, so they fixed it by allowing the user to change that setting.
- What shocked me about openSUSE is that they are in the clear minority when it comes to signing shim with their own key. The most widely used distributions either just have Microsoft sign it (which they will with a developer license which costs the distribution $99 a year) or tell you to turn it off. The benefit to using the Microsoft signing is that there probably doesn't exist a PC that doesn't have it unless the user has removed it. I doubt most BIOSes allow this to keep support costs down. Some BIOSes even forcibly add a "Windows Boot Manager" entry to your EFI boot menu even if you've never had Windows on the computer on the assumption that if it's missing, shit got fucked up somewhere along the way, and they don't want you to call their support number asking why your machine says "OS not found".
- Here's how the major GNU/Linux distributions handle Secure Boot, assuming you didn't turn it off (If you turn it off then all of them should boot and allow unsigned kernel modules. Supporting Secure Boot implies that they support uEFI in native mode without PC BIOS emulation.):
- Fedora: Secure Boot uses shim and it's signed by Microsoft.
- Ubuntu: Secure Boot uses shim and it's signed by Microsoft.
- Mint: Based on Ubuntu and ditto on the Secure Boot.
- openSUSE: Secure Boot uses shim and it's signed by both Microsoft and openSUSE.
- Debian: Version 9 supports uEFI without pretending to be a legacy BIOS but will fail to boot with Secure Boot turned on.
- Mageia: Version 6 supports uEFI without pretending to be a legacy BIOS but will fail to boot with Secure Boot turned on.
- Manjaro: The documentation says that you must turn Secure Boot off but that uEFI is supported without pretending to be a Legacy BIOS.
- Solus: The documentation says that you must turn Secure Boot off but that uEFI is supported without pretending to be a Legacy BIOS.
- Arch: The documentation says uEFI is supported. The documentation says you can set up Secure Boot support but looking at the documentation makes my brain hurt. It's Arch. (Manjaro is sort of an easy to use Arch, I've heard, but I haven't used either.)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement