Linux: how to get started

That depends on the goal. Many users may be curious and want to see if they like or can adapt to the linux world, but are not interested in becoming linux admins (or learning the install) to put their first toe in. Not all PC users like to experiment with this and that. Fear of the unknown is powerful. If they like what they encounter in WSL they are probably going to make the plunge.

3 Likes

Most motherboards no longer use BIOS, it has been replaced by UEFI. That ‘stupid stuff’ is intended to provide a secure boot environment - something that is increasingly important regardless of your operating system. While Secure Boot has plenty of problems of its own, the principle is right and the implementation will improve over time.

Except that providing a back door for one means providing a back door for all - or developing a ‘China solution’. The latter is far too costly for the market size.


I have used Windows since 3.1 - and various flavours of DOS prior to that. I have also used OS/2 - briefly. Never had a virus in any OS, only started using AV about ten years ago and have since replaced that with what Windows 10 provides. This includes the functionality to protect individual directories from access by programs, meaning things like ransomware will not work (of course I also have backups that are not accessible to ransomware).

I have looked at Linux a few times and found absolutely no reason to move. Windows provides the same functionality, it has been effectively free for many years, it has more hardware and software compatibility (okay, I have a few games in my library), and unless I or my programs do something idiotic it is secure from most attacks. Total security is a myth, and there are plenty of Linux, MacOS and other vulnerabilities out there but if you’re only a tiny percentage of the market many Bad People will ignore you for richer pastures.

In any OS, the key to security is the user.

2 Likes

You may end up having to install Linux anyway. (It wasn’t entirely clear to me whether WSL2 provides any Linux distros pre-installed out-of-the-box.)

Also I note from the FAQ:

Can I access the GPU in WSL 2? Are there plans to increase hardware support?

In initial releases of WSL 2 hardware access support will be limited, e.g: you will be unable to access the GPU, serial or USB devices. However, adding better device support is high on our backlog, as this opens many more use cases for developers that wish to interact with these devices.

I don’t know how that would work in practice but I would think that not having USB devices could be a bit painful. (Serial port I don’t think many users will care about unless they have quite niche requirements.)

You could come away with the impression that all of your USB devices won’t work with Linux.

Note that this general problem of passing through devices from the host operating system to the guest operating system exists in many virtualisation environments, and is a trade-off between flexibility, security, performance, … It is by no means a problem unique to Windows.

1 Like

Yes to both.

I was using the term BIOS generically to refer to the firmware that is embedded in the system and that executes first at power on in order to transfer control to an operating system or other software that is loaded from disk.

I understand why “secure boot” is in theory a good thing - but not if it means that manufacturers can sell computers that come with Windows and which can only run Windows i.e. cannot even in theory run some other operating system. (The effect right now is that you have to be able to turn it off - which doesn’t really help either Windows or Linux.)

From a consumer perspective there are definitely some anti-competitive issues involved but most governments are so woefully ignorant of technical matters that they would never address them.

In essence there is a fundamental conflict between “secure boot” and Linux - because the Linux philosophy is freedom, and that includes even the freedom to run an operating system other than Linux. It’s your computer. You own it. Run what you want. Adding: That includes an operating system that you have built yourself e.g. building a Linux from source, and hence which will not be signed by any private key where the public key is known to the manufacturer.

As long as the current situation continues, I can live with the current situation. There are better solutions around but this is probably getting a bit esoteric for the basic topic of just wanting to get started on Linux. :slight_smile:

1 Like

At the moment there is, but I am not entirely sure that the problem is insuperable. You can have open encryption that does not rely upon a secret - I am just not sure whether that could be used to protect the boot process.

1 Like

I have dabbled in Linux since Redhat 5 (which was a less than salubrious experience, installed on an ancient Toshiba Satellite Pro, with a 10” screen.)

Most recently I discovered that with the help of an application called Balenaetcher (link below) I was able to install Linux Mint 18. I used the XFCE window manager because its lightweight and my 2010 Macbook needs help at times. However, It ran flawlessly and the only reason I reverted to MacOS was that the existing photo management apps on Linux were not yet quite what I was looking for.

3 Likes

PS The point of “live boot” (the “try before you buy” Linux option) is that you don’t have to install anything. Just boot up.

Installing something is messy anyway because if you decide you don’t like it then you have to uninstall it - and that can be a real can of worms (in any environment).

Hence, for example, for anyone installing Linux alongside Windows, I would always recommend putting them on separate disks e.g. use an external disk for Linux initially.

Truedat.

4 Likes

It is not insuperable, in fact several Linux Distros support Secure Boot (it is an industry standard) as part of UEFI.

An older article on Linux and Secure Boot

https://www.linuxjournal.com/content/growing-role-uefi-secure-boot-linux-distributions

As far as I know the only CA for the signing keys is still Microsoft but the UEFI forum are certainly eagerly open to others joining in.

Someone like CAcert or Let’s Encrypt could offer the more open support of the keys.

I also add from the UEFI Forum paper on Secure Boot and UEFI that they state the following are misconceptions about the UEFI Secure Boot:

"Several misperceptions about UEFI Secure Boot, its intended uses, requirements and application exist within the technology and end-user community. A few of the most common are outlined below and in greater depth throughout this paper.

False: UEFI Secure Boot is an attempt to ‘lock’ platforms to software from specific vendors and block operating systems and software from others.

False: UEFI Secure Boot requires a TPM chip, as described by the Trusted Computing Group (TCG), and TCG controls the UEFI specification.

False: “UEFI Secure Boot requires a specific implementation by computer manufacturers and operating system vendors.””

4 Likes

That must go down well with the Linux distro maintainers.

2 Likes

They could ask others to become CAs for the keys but nobody in the CA businesses has moved to do so, so far. I hear the complaining about MS but I don’t see others (other CAs) stepping up to change that. Maybe so they (the CAs) have someone else copping the bashing instead of their businesses

2 Likes

It might be a better process if a company that is already a near monopoly were not also the gatekeeper. I take your point though that if noone else wants to do it, there is no choice.

It is unclear to me how this process really works. Let’s say that I want to build my own Linux (just compiling existing code, since clearly I don’t have time to write my own operating system, but let’s say with some small but crucial changes). So I approach Microsoft to sign my binary. How is that distinguishable from a malicious party doing the same thing? OK, Microsoft may have a little bit more information about me as a result of this process but …

Since I have never tried this process - I don’t have a need - I am not saying that the process isn’t solid, only that I don’t see that it is solid - and being able to audit the solidity of the process is important.

Does anyone think that (malicious) state actors don’t have the resources to set up credible front-companies?

It is unclear whether they really achieve anything.

As the article notes, Linux has provided a shim to Microsoft to get it signed. So the secure boot path may only go as far as the shim - unless the code in the shim has its own means of validating the next loader. The next loader would typically be GRUB. GRUB in turn would need to have its own means of validating the next step (loading the actual Linux kernel).

I don’t know how far the secure boot path goes.

With Microsoft’s history, anyone would be forgiven for thinking otherwise though.

The flexibility in the UEFI spec allows the writers of the spec to wash their hands of the issue - when they give manufacturers the flexibility to provide no means of disabling secure boot.

Since we are digressing somewhat, it is also unclear that there is any online signature revocation mechanism. So if Microsoft were compromised or Microsoft were tricked into signing a malicious binary then that binary might remain valid for some years.

By contrast, if the same thing happened with an SSL certificate and it were discovered subsequently then the CA would revoke the certificate and a web browser would discover that via OCSP (Online Certificate Status Protocol) or another functionally equivalent mechanism, and the damage would be quickly contained.

You mean like the Hong Kong Post Office CA?

This applies to SSL/TLS certificates. Google has its own way of checking them (storing a list of untrusted certificates in the browser), while the industry standard (OCSP) is fail-open by default (what were they thinking!). Certificate pinning is some years away.

4 Likes

After finding this page

I apologise for bringing up WSL in ‘anything how to get started’.

4 Likes

If you use WSL(2) then you are probably always “behind” in version as well. That page you link offers Ubuntu 16.04 and Ubuntu 18.04 whereas the current version is Ubuntu 20.04 (with 18.10, 19.04 and 19.10 between them). (The same problem can occur when you run Linux inside a container on a Linux system.)

I get that Microsoft may only want to “support” the LTS (Long Term Support) versions of Ubuntu but even so, there is a lot to be said for keeping current with your software, no matter what operating system you run.

2 Likes

How to install Tails for Linux:

6 Likes

Hmmm, yeah, OK … hands up all those who actually use Tails on a daily basis? Not me.

It has its place but, as Choice’s article notes, it has its inconveniences.

The article doesn’t seem to explain how to install Tails if you are already using Linux, but rather seems to assume that you run Windows or MacOS.

A further comment: the article talks about using the BIOS/UEFI menu to change the boot order. That is fine if you intend to use Tails most of the time or a fair bit of the time. However just for trying it out once, you are better off using the boot disk menu (for those computers that support it). That will give you a menu of the then available boot disks but makes no permanent change to the boot order.

Apart from not having to change the boot order back if you don’t like Tails, it is also better for the truly paranoid because the mere act of making a permanent change to the boot order marks you as a subversive to be targeted by the government. :slight_smile:

5 Likes

Another useful one is Whonix though it is installed on your system (macOS, Linux, Windows, KVM or Qubes), installed on a Qubes OS (another Snowden recommendation) increases the security further. Whonix creates 2 Virtual Machines, one is simply a Tor Network Gateway the other called Workstation has all it’s traffic directed through the Tor Network Gateway machine. Workstation is the VM that users interact with.

I also think Tails will not work if the UEFI is Secure Boot enabled as I think it does not have secure boot licencing so it may require changing the Secure Boot setting.

3 Likes

Hasn’t Microsoft provided certificates for all major Linux implementations? I would have assumed this included Tails, but the information I was able to find does not list it.

As stated in that article:

Some Linux distributions are philosophically opposed to applying to be signed by Microsoft.

For good reason. While at the moment Microsoft is playing nice, it has the ability to stop doing so at any time and completely ruin any Linux distro user’s day.

3 Likes

There can be other certificate key providers but none so far have stepped up. MS provides them for free at the moment and as you say could easily just say no.

1 Like

LTS are security updated quite often, that was the idea behind LTS so businesses and users didn’t have to keep updating the whole OS system every new iteration. LTS provides a stable platform so it can be adopted after testing and having the sure knowledge support will be there if needed.

2 Likes