[coreboot] Feedback On Coreboot: the Solution to the Secure Boot Fiasco

Andrew Goodbody ajg4tadpole at gmail.com
Sat Jan 5 00:23:04 CET 2013 

On 02/01/13 19:28, David Hubbard wrote:
> Andrew, Ron, what's your take on http://mjg59.dreamwidth.org/20916.html ?
>
> Specifically:
> "This is part of Windows 8's fast boot support - the keyboard may not be
> initialised until after the OS has started."

OK, the feature is deferred initialisation of USB devices until they are 
actually needed.
Windows 8 is making use of this but it is introduced as part of the UEFI 
spec 2.3.1c.
This is optional to implement it or not, OEM gets to decide.
This is in the UEFI spec and can be used by other OSes than Windows eg 
Grub could use it to speed up loading of Linux.

> 4. User is thus *forced* to use Win8's "hold down shift and restart"
> feature -- adding another barrier before a user can boot her own OS.
>
> I think the biggest problem here is that the entire BIOS is made
> inaccessible, and only if Windows gives permission can you change that.

Well yes and no.
1) PS/2 keyboards are not affected, they are still initialised and 
available as normal. Many laptop keyboards are implemented as PS/2 devices.
2) There are a number of ways that you can get USB enumerated and 
keyboards initialised.
  a) If HDD is not primary boot target
  b) If primary boot target fails
  c) If bootloader invokes EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL. 
ReadKeyStrokeEx()

So yes, on a motherboard that implements it, with no PS/2 keyboard, with 
the HDD as primary boot target and with Win8 installed then you may have 
to use the Win8 menu to restart into the UEFI settings screens. And yes 
this can be a small barrier to booting using an alternative method for 
any reason, not just installing an alternative OS. But quite frankly I 
have seen some bizarre setup screens on legacy BIOS that made choosing 
to boot from a USB device an exercise in frustration. So this extra step 
in the road to booting an alternate OS is not that big a deal. It can at 
least be documented and is not a hard thing to do at all. Even without 
this there are some machines that boot so fast it is not easy to press 
the key to get to the setup screens at the right time, this may actually 
give a more reliable way to get to the setup screens on those machines.

> Regards,
> David

BTW 1) when you use BIOS above, you actually mean Setup. Setup is an 
application launched by the BIOS to view or change system settings. The 
BIOS is not accessible nor inaccessible, it is running as soon as the 
CPU begins to execute code and will complete its tasks as normal 
according to those system settings.
BTW 2) its UEFI firmware, not BIOS. Just as coreboot is not BIOS.

Best wishes,
Andrew

More information about the coreboot mailing list