secureboot
Latest
Roku player software cracked open temporarily, root now to run XBMC later
Roku's line of set-top boxes have been popular thanks to their simple controls, large set of available apps (recently expanded to include YouTube for the new Roku 3) and hardware ranging in price from inexpensive to downright cheap. Still, despite an active and encouraged developer community with custom channels and well-supported media player apps like Plex, the hardware has remained largely on lockdown -- until now. The GTVHacker team that previously unlocked Google TV and Chromecast has found a way to run its commands as root on any Roku 2 or Roku 3 using the most recent software version (unfortunately, that does not at this time include Sky TV's cheap Now TV player, which runs on older software). While the player overall is credited as "considerably more secure than others in the entertainment field" (Samsung comes to mind but it's from from the only one) a development password field provided a way in. Currently they've only achieved persistence on the Roku 2, which in this case means they can maintain control even after the box reboots by breaking the secure boot process and modifying the initial boot loader. Since Roku 2 runs on the same Broadcom chip used by the popular Raspberry Pi, team member CJ Heres expects to see ports for third-party home theater PC software like XBMC very quickly. The Roku 3 will be a bit trickier since it runs on different hardware, and right now it needs to have the command entered each time the box starts. Those well-versed in using the command line should find the process simple. A WGET command entered via the development password field pulls down a script -- available from the GTVHacker team -- that makes sure you have the right box and does all the dirty work before rebooting, leaving you with a rooted box, as seen above. Hardware level access on mobile platforms has lead to a number of custom software projects and we'll have to see if the same path is followed here, but if all this does is create a simple $40 XBMC box, it's probably still worth looking into -- and quickly, the team expects this security hole will be patched soon.
Linux Foundation finally gets Microsoft signature on secure UEFI bootloader
Whatever hoops the Linux Foundation had to waddle through to get an MS-signed bootloader for use on Windows 8 hardware, it appears to have worked. Whereas Ubuntu and Fedora already had UEFI Secure Boot support, and there was the Shim bootloader and other fixes for smaller distros, this official solution promises to be more user friendly and universal, albeit with a few caveats that are described by MJG59 at the link below. Once you're sure you want it, head over to the source with a USB key and do the honors.
Linux Foundation vet explains setbacks in getting a Secure Boot key for Windows 8 PCs
Linux fans wondering why they still don't have a friendly UEFI Secure Boot option for Windows 8 PCs won't get a solution in hand this week, but they'll at least get an explanation. The Linux Foundation's primary backer for the alternative OS efforts, Parallels' server CTO James Bottomley, has revealed that Microsoft's requirements for signed, Secure Boot-ready code are tough if developers aren't entirely onboard its train of thought. The Redmond crew demands a paper contract signature (remember those?), agreements on work beyond the relevant software and a packaging process that complicates attempts to use open-source tools. Bottomley has already overcome most of these challenges, although he's still waiting for a Linux Foundation-specific key that should theoretically clear a major hurdle. Whether or not that leads to a remedy in days or weeks is up to Microsoft; in the meantime, we'll take comfort in knowing that a signature is so far a convenience for booting into Linux, rather than a necessity.
Linux Foundation proposes convoluted solution for UEFI Secure Boot
With Windows 8 Microsoft is pushing manufacturers away from a traditional BIOS to UEFI with Secure Boot. But that poses problems for alternative OSes like Linux, because UEFI requires any software have a signed certificate. The Linux Foundation has been looking for a solution and thinks that it may have one. The proposed work around is a little convoluted and surprisingly involves obtaining a Microsoft signature for a new barebones bootloader. This wouldn't actually boot Linux or any other OS actually. Instead, it would then start a second bootloader, the one associated with your OS of choice. It's a little messy, but it should mean that the signed bootloader will be a catch-all solution for any operating system. Of course, it could take a while for the Foundation to actually obtain a signature from Microsoft. So "Designed for Windows 8" systems might not be able to run Linux right away, but rest assured a solution is on the way.
