Looks like the Linux Secure Boot issue has been solved!

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 9:32 pm

http://mjg59.dreamwidth.org/20303.html
http://mjg59.dreamwidth.org/17542.html

This is actually a bit better than I expected. It uses a Microsoft-signed bootloader shim, which can in turn have arbitrary additional keys manually installed by the user to permit the booting of OSes that haven't been blessed by Microsoft. Once the appropriate key is installed in the shim, there's no need for an "Are you sure you really want to boot this untrusted OS?" prompt on each boot (which is how I originally thought this was going to work).

So the only downsides I see are:

1. One extra hoop to jump through during OS installation (need to install the appropriate key into the bootloader shim).

2. Distros like Debian that have religious objections to distributing anything the user can't rebuild from source are going to have to have to either do without, or make an exception for the Microsoft-signed bootloader shim.

#1 is potentially confusing/problematic for Linux newbies, but newbies will tend to use one of the major desktop distros like Ubuntu anyway, and AFAIK these distros will all provide MS-signed Secure Boot bootloaders (so no need to install an additional key).

#2 is likely not a big deal either. I expect the majority of Debian users are tech savvy enough to know how to disable Secure Boot in their BIOS settings.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 9:50 pm

Looks like the dev lost his job over this, so he's got no reason not to provide a full solution.
Life is hard; but it's harder if you're stupid. Big Al.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20424
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 9:55 pm

There has never been an issue that needed to be solved.

UEFI already had the ability for a user to disable the feature or install their own certificates.

Linux vendors had already started building solutions.

http://arstechnica.com/information-tech ... cure-boot/
http://arstechnica.com/information-tech ... entations/
http://arstechnica.com/information-tech ... conundrum/

The lack of understanding on this subject matter is depressing.

Edit: His solution has chain of trust issues.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 9:57 pm

It is certainly great to read of a viable solution/workaround. Does this mitigate any of the security benefits?
FDISK /MBR
Dirge
Gerbil Jedi
 
Posts: 1553
Joined: Thu Feb 19, 2004 3:08 am
Location: New Zealand

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 10:04 pm

Dirge wrote:It is certainly great to read of a viable solution/workaround. Does this mitigate any of the security benefits?


Yes, it has a security weakness. We have to trust he deleted the private key for the signed MokManager.

Barring that it can be used to provide the same underlying protections against rootkits.

Edit: The solution the Linux Foundation will eventually release will be better.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 10:28 pm

Ryu Connor wrote:There has never been an issue that needed to be solved.

UEFI already had the ability for a user to disable the feature or install their own certificates.

Disabling Secure Boot defeats the entire purpose of Secure Boot, so it is not a good solution. Providing a consistent way of installing the certificate (rather than relying on the user being able to figure out how their specific motherboard does it) seems like a reasonable idea to me.


Yes, I mentioned in the OP that major distros will likely just get their bootloaders signed by Microsoft. Canonical has apparently changed course and decided to get their bootloader signed. The page I linked explicitly states that this solution is intended for distros that don't want to deal with MS's bootloader signing process.


Their solution requires the user to confirm that they want to boot the untrusted OS each time the system starts up. Not the end of the world, but definitely annoying, and also has the undesirable side effect of conditioning users to mindlessly answer "Yes" whenever asked if they want to boot an untrusted OS image.

Ryu Connor wrote:The lack of understanding on this subject matter is depressing.

Edit: His solution has chain of trust issues.

Yes, I agree that is a potential concern.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sat Dec 01, 2012 10:36 pm

Captain Ned wrote:Looks like the dev lost his job over this, so he's got no reason not to provide a full solution.

He claims in the comment thread that his departure from Redhat was not related to his work on the Secure Boot shim. Sounds like SuSE actually did most of the work on this, he's just the "point man".
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 1:32 am

just brew it! wrote:Disabling Secure Boot defeats the entire purpose of Secure Boot, so it is not a good solution. Providing a consistent way of installing the certificate (rather than relying on the user being able to figure out how their specific motherboard does it) seems like a reasonable idea to me.


The average Linux audience has the necessary skillset. The more popular laymen distros were working toward a signed bootloader. Defeating the point of secure boot depends on who you speak to. I get what you're saying, but his Holyness the Stallman has deemed secure boot bad. So disabling it is the correct ideological outcome for those who follow the one true path.

http://www.fsf.org/campaigns/secure-boo ... epaper-web

JBI wrote:Their solution requires the user to confirm that they want to boot the untrusted OS each time the system starts up. Not the end of the world, but definitely annoying, and also has the undesirable side effect of conditioning users to mindlessly answer "Yes" whenever asked if they want to boot an untrusted OS image.


As I interpret it the Linux Foundation loader simply requires a human to press a key. A concept not unlike the secure attention sequence in Windows. Not quite the same situation as what you portray, no bad habits are taught.

Even if the situation fits your scenario, the average Linux user has the necessary skillset to understand the consequences of their actions. The more popular laymen distros were working toward a signed bootloader and won't impart bad habits.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 4:43 am

One little snippet around this issue is that I've heard devs complaining that it isn't possible to get your linux boot loader signed by MS without using a copy of windows since the upload page on their website requires silverlight (and moonlight isn't enough).

:roll:

http://blog.hansenpartnership.com/adven ... i-signing/

I wonder if this is just an oversight by MS or them giving a digital middle finger salute.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2276
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 8:36 am

cheesyking wrote:One little snippet around this issue is that I've heard devs complaining that it isn't possible to get your linux boot loader signed by MS without using a copy of windows since the upload page on their website requires silverlight (and moonlight isn't enough).

:roll:

http://blog.hansenpartnership.com/adven ... i-signing/

I wonder if this is just an oversight by MS or them giving a digital middle finger salute.

Never assume malicious intent where incompetence will suffice... :wink:

And anyone with a web presence will at least need to have a copy of Windows in a VM anyway, in order to make sure their web site works with IE! :lol:
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 11:59 am

just brew it! wrote:He claims in the comment thread that his departure from Redhat was not related to his work on the Secure Boot shim. Sounds like SuSE actually did most of the work on this, he's just the "point man".


It's nice to see a dev give credit where it is due (even though SuSE is long dead and the credit should go to openSUSE). While Redhat does a large amount of linux development, the other big player is openSUSE which does a tonne of work with the upstream projects unlike another distro company *cough* Canonical *cough* and requires potential contributors to agree to their terms and conditions (aka sell thier Soul) before accepting anything.
Deanjo
Gerbil XP
 
Posts: 400
Joined: Tue Mar 03, 2009 11:31 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 12:49 pm

just brew it! wrote:This is actually a bit better than I expected. It uses a Microsoft-signed bootloader shim,


This is still a bad thing. Having to have MS sign it creates a dependency that shouldn't be needed. In theory, if MS were to collapse or stop signing for what ever reason (say MS wanted to stop finally rattling their sword and pursue their claim of linux violating 235 of their patents or come into a licensing dispute with a distro and stop signing the code until legalities are taken care of) you are up the creek without a paddle.
Deanjo
Gerbil XP
 
Posts: 400
Joined: Tue Mar 03, 2009 11:31 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 1:01 pm

Deanjo wrote:This is still a bad thing. Having to have MS sign it creates a dependency that shouldn't be needed.

No argument there. But given that Secure Boot seems to be a done deal it's a better outcome than I expected.

Ideally the signing should be handled by a neutral 3rd party non-profit...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 1:14 pm

In premise it could be. One just needs to setup the business, get the keys, and then convince every motherboard maker on the planet to integrate your certificate alongside the Microsoft certificate by default.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 1:53 pm

Ryu Connor wrote:In premise it could be. One just needs to setup the business, get the keys, and then convince every motherboard maker on the planet to integrate your certificate alongside the Microsoft certificate by default.


Something like that should be handled by the IEEE or ISO instead of MS.
Deanjo
Gerbil XP
 
Posts: 400
Joined: Tue Mar 03, 2009 11:31 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 2:52 pm

Captain Ned wrote:Looks like the dev lost his job over this, so he's got no reason not to provide a full solution.

Nope, I chose to leave Red Hat for entirely unrelated reasons.
mjg59
Gerbil In Training
 
Posts: 1
Joined: Sun Dec 02, 2012 2:49 pm

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 4:12 pm

Deanjo wrote:Something like that should be handled by the IEEE or ISO instead of MS.


It's not handled by MS. You don't seem to understand the underlying aspect of this technology. The only reason that Linux vendors are turning to Microsoft for this is because Microsoft has the considerable clout to make vendors install the certificate into the UEFI firmware.

Why would a standards body want to be responsible for a chain of trust in a product they don't own? Who wants that kind of liability?

This is up to OS vendors to deal with. They can either band together and find a way to create incentive so that their certificate ends up in every UEFI firmware or they can leverage the fact the fact that MS has already done that hard work. That's their choice.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 5:16 pm

It's not handled by MS. You don't seem to understand the underlying aspect of this technology. The only reason that Linux vendors are turning to Microsoft for this is because Microsoft has the considerable clout to make vendors install the certificate into the UEFI firmware.


What do you mean "It's not handled by Microsoft"? Without MS's stamp of approval, it doesn't get put in. That's MS controlling the situation 100% and that is not a good thing in the least.

Why would a standards body want to be responsible for a chain of trust in a product they don't own? Who wants that kind of liability?


I bet the FSF would gladly take control of it.

This is up to OS vendors to deal with. They can either band together and find a way to create incentive so that their certificate ends up in every UEFI firmware or they can leverage the fact the fact that MS has already done that hard work. That's their choice.

There are many other ways it could have been handled. If MS made the effort to include the other factions from the get go it could have been more along the lines of the consortium that was put together for other standards such as the Khronos Group.

MS still could have their clout in such a situation where they could have simply said "Don't make provisions for this and you don't get Win X certification".
Deanjo
Gerbil XP
 
Posts: 400
Joined: Tue Mar 03, 2009 11:31 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 5:45 pm

Deanjo wrote:What do you mean "It's not handled by Microsoft"? Without MS's stamp of approval, it doesn't get put in. That's MS controlling the situation 100% and that is not a good thing in the least.


Microsoft does not control secure boot. Secure Boot is a function of the UEFI standard developed by the Unified EFI Forum. No OS vendor has to leverage it. Microsoft has chosen to leverage it as they see it as a beneficial security technology. The concept of secure boot is not new. Trusted Platform Modules (TPM) has done a similar thing for years for laptops and desktops leverage whole disk encryption.

Microsoft has enough clout to force all hardware vendors to implement their public certificate into the UEFI key store for secure boot. There is nothing preventing Linux, Unix, or (in premise) Apple from doing a similar thing. Microsoft use of "force" came through the logo program. The logo program has enough incentive for hardware vendors to want to participate. Without the logo program it is unlikely that secure boot would see wide implementation despite being part of the UEFI standard. It is more likely that the motherboard vendors would attempt to make the feature part of their product segmentation, something you'd have to pay extra for.

Microsoft is being nice about this honestly. They could force alternative operating systems to get their own public certificate implemented into the UEFI firmware of hardware vendors. Instead they've offered up their own private certificate for signing, curtailing the need of cutting a deal with the vendors to have a public certificate installed.

Like I said, most people do not understand secure boot.

I bet the FSF would gladly take control of it.


They have already decided to implement their own measure for secure boot. They have also apparently decided it is easier to pay MS for a signature than wrestle with hardware vendors to get their own public certificate installed.

There are many other ways it could have been handled. If MS made the effort to include the other factions from the get go it could have been more along the lines of the consortium that was put together for other standards such as the Khronos Group.

MS still could have their clout in such a situation where they could have simply said "Don't make provisions for this and you don't get Win X certification".


The Unified EFI Forum control UEFI and is responsible for the secure boot technology. They did not want to create some sort of unified public private key pair for all operating systems. They wanted each vendor to get their own public private key pair.

Microsoft has decided to let their public private key pair be used by others!
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Sun Dec 02, 2012 11:23 pm

Ryu Connor wrote:Microsoft does not control secure boot. Secure Boot is a function of the UEFI standard developed by the Unified EFI Forum. No OS vendor has to leverage it. Microsoft has chosen to leverage it as they see it as a beneficial security technology. The concept of secure boot is not new. Trusted Platform Modules (TPM) has done a similar thing for years for laptops and desktops leverage whole disk encryption.


That's like saying Intel doesn't affect Photoshop. Microsoft is a huge company that can force change on a whim. By MS forcing OEM providers to enable it by default this means that any person who tries to install Linux or anything else will be thwarted (why?). If other OS's like Linux want to have their OS supported by OEM's they have to comply. To get your own OS certificate isn't free. Now if you are anyone else but Microsoft this is a pain because the signed bootloader alone isn't enough. For Secure Boot to work all drivers from tip to tail have to be signed too and work in KMS. Userspace wrappers will no longer suffice. It might sound small to MS but it's a very big deal with a heavy lift for everyone else....all because MS forgot to take it's Midol.

Think about all of those opensource drivers that have been created in Linux that support all of the hardware from at least the mid 90's on. ALL of them will now need to be signed and support KMS settings.

Ryu Connor wrote:Microsoft has decided to let their public private key pair be used by others!


This doesn't appear to be the case.

Linux Foundation struggles with Microsoft's Secure Boot signing service
Two weeks ago at the LinuxCon Europe 2012 conference, Bottomley explained in a presentation (slides) why neither the UEFI Consortium nor the Linux Foundation, the hardware manufacturers or any of the Linux distributions have created their own certificate to sign the bootloader in the same way Microsoft does with VeriSign: Apparently, it's simply too expensive. According to Bottomley, the Foundation had negotiated with VeriSign to create a joint signature service – but that VeriSign had wanted several million dollars for such a service. The developer added that the Linux Foundation had also considered starting its own certification authority but had abandoned this plan because it would have required a huge effort and incurred high costs.
Core i7 920 @stock - 6GB OCZ Mem - Adaptec 5805 - 2 x Intel X25-M in RAID1 - 5 x Western Digital RE4 WD1003FBYX 1TB in RAID 6 - Nvidia GTX 460
kc77
Gerbil Team Leader
 
Posts: 242
Joined: Sat Jul 02, 2005 2:25 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 12:45 am

kc77 wrote:That's like saying Intel doesn't affect Photoshop. Microsoft is a huge company that can force change on a whim. By MS forcing OEM providers to enable it by default this means that any person who tries to install Linux or anything else will be thwarted (why?). If other OS's like Linux want to have their OS supported by OEM's they have to comply. To get your own OS certificate isn't free. Now if you are anyone else but Microsoft this is a pain because the signed bootloader alone isn't enough. For Secure Boot to work all drivers from tip to tail have to be signed too and work in KMS. Userspace wrappers will no longer suffice. It might sound small to MS but it's a very big deal with a heavy lift for everyone else....all because MS forgot to take it's Midol.

Think about all of those opensource drivers that have been created in Linux that support all of the hardware from at least the mid 90's on. ALL of them will now need to be signed and support KMS settings.


Neither the proposed Linux Foundation Boot loader or the boot loader created and distributed through this very thread requires the entire chain to be signed.

The entire chain being signed is the ideal solution, but not the required one. TPM for example also doesn't require the entire chain to be signed.

Seriously guys, don't come rolling conspiracy theories into this thread if you don't understand the tech. Some of you posting here give me the distinct impression you don't even know the basics of asymmetric encryption, but you're willing to talk about outcomes that require an understanding of said technology.


kc77 wrote:This doesn't appear to be the case.

Linux Foundation struggles with Microsoft's Secure Boot signing service
Two weeks ago at the LinuxCon Europe 2012 conference, Bottomley explained in a presentation (slides) why neither the UEFI Consortium nor the Linux Foundation, the hardware manufacturers or any of the Linux distributions have created their own certificate to sign the bootloader in the same way Microsoft does with VeriSign: Apparently, it's simply too expensive. According to Bottomley, the Foundation had negotiated with VeriSign to create a joint signature service – but that VeriSign had wanted several million dollars for such a service. The developer added that the Linux Foundation had also considered starting its own certification authority but had abandoned this plan because it would have required a huge effort and incurred high costs.


That doesn't contradict my statement, nor does that have anything to do with Microsoft.

That statement does imply that the Linux Foundation considered getting their own signed public private key pair instead of using the MS option. Yes, getting a key for what they want is going to be expensive. That's not Microsoft's fault, that's not the Universal EFI Forum's fault, and that's not secure boot's fault, that is simply the nature of asymmetric encryption.

That does succinctly illustrate for me why the Universal EFI Forum didn't want to have ownership of a master key.

Honestly it's weird that MS even gives the option. Typically you don't go applying your digital signature onto things you don't control.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 12:53 am

Seems to me it's possible that Microsoft is doing this because they're worried about push-back, or perhaps even anti-trust litigation.

Presumably they will refuse to sign a specific bootloader if they feel it makes it too easy to trick the user into loading something nefarious.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 1:08 am

Ryu Connor wrote:Neither the proposed Linux Foundation Boot loader or the boot loader created and distributed through this very thread requires the entire chain to be signed.

The entire chain being signed is the ideal solution, but not the required one. TPM for example also doesn't require the entire chain to be signed.


Seriously guys, don't come rolling conspiracy theories into this thread if you don't understand the tech. Some of you posting here give me the distinct impression you don't even know the basics of asymmetric encryption, but you're willing to talk about outcomes that require an understanding of said technology.


Apparently MIcrosoft has it wrong.

Secure boot feature signing requirements for kernel-mode drivers (Windows)
Manifestation
Kernel-mode drivers will not run if they are not properly signed by a trusted certification authority (CA). The operating system will not allow untrusted drivers to run and standard mechanisms like kernel debugging and test signing will not be permitted.


For Windows they are required. PERIOD. Unless you know more than Microsoft. For Linux there has been a debate about how to get around that requirement but also highlighting the problem of Microsoft revoking the license if the drivers are not following the same standard. Why you would think no one has talked about this very issue is odd. For some strange reason you have a very angelic viewpoint of Microsoft that's beyond any conspiracy given here by anyone else. In fact I think you're rolling in with a conspiracy all your own. Apparently, Microsoft would never do any thing anti-competitive like lock out other software vendors. How's Netscape coming along as a browser? Can't wait to see how WordPerfect is doing in the market place.

Ryu Connor wrote:That doesn't contradict my statement, nor does that have anything to do with Microsoft.


If that's what you believe then that's your opinion.

“We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader,” Bottomley concluded. “When that happens, it will get uploaded to the Linux Foundation website for all to use.”


Yup totally not about Microsoft.
Core i7 920 @stock - 6GB OCZ Mem - Adaptec 5805 - 2 x Intel X25-M in RAID1 - 5 x Western Digital RE4 WD1003FBYX 1TB in RAID 6 - Nvidia GTX 460
kc77
Gerbil Team Leader
 
Posts: 242
Joined: Sat Jul 02, 2005 2:25 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 2:03 am

kc77 wrote:[...]


Facepalm

Now I know you're not even reading.

I said explicitly that signed drivers is the way Windows does it and that it is the most secure way. I also said it isn't required for other operating systems.

The requirement of signed drivers in Windows isn't even a new imposition. 64bit Windows has been enforced signed drivers since at least Vista.

What Windows does is irrelevant for what Linux does. Nothing you've cited changes that reality.


kc77 wrote:If that's what you believe then that's your opinion.


Fact, not opinion. The section of the article you quoted dealt specifically with the idea of the Linux Foundation obtaining their own public private key pair to be installed into the UEFI firmware.

The price of that has nothing to do with Microsoft. Microsoft does not set the price of public CA certificates.

kc77 wrote:
Linux Foundation wrote:“We’re still waiting for Microsoft to give the Linux Foundation a validly signed pre-bootloader,” Bottomley concluded. “When that happens, it will get uploaded to the Linux Foundation website for all to use.”


Yup totally not about Microsoft.


You're changing the argument again. This has nothing to do with secure boot, how Windows signs drivers for secure boot, the cost of public CA certificates, or even how Microsoft is not the central authority or structure for secure boot.

That is the story from the blog talking about the screwed up support of Microsoft getting the bootloader signed. It will get sorted.

The opening post of this very thread you haven't read involves a bootloader having been signed by Microsoft!

Microsoft support is always problematic. My company is gold partner with them and we frequently end up stuck with Bill in Mumbai trying to sort out problems. The incompetence of their typically outsourced support team has little to do with the subject matter at hand.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 2:11 am

just brew it! wrote:Seems to me it's possible that Microsoft is doing this because they're worried about push-back, or perhaps even anti-trust litigation.

Presumably they will refuse to sign a specific bootloader if they feel it makes it too easy to trick the user into loading something nefarious.


I don't think you can be sued for anti-trust for implementing an industry standard. Neither UEFI nor secure boot is Microsoft technology.

Worried about push-back on the other hand fits.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 2:56 am

Ryu Connor wrote:The opening post of this very thread you haven't read involves a bootloader having been signed by Microsoft!

And here is where I quote the article to highlight the power of reading.....

This is more interesting. Suse's bootloader design involves the bootloader having its own key database, distinct from those provided by the UEFI specification. The bootloader will execute any second stage bootloaders signed with a key in that database. Since the bootloader is in charge of its own key enrolment, the bootloader is free to impose its own policy - including enrolling new keys off a filesystem.

or
As I discussed here, this is intended for distributions that want to support secure boot but don't want to deal with Microsoft.


Translation Microsoft isn't involved in this method. The problem is this is a workaround. A good one I might add but nonetheless a workaround. But it does get the job done for the roll your own crowd.

I chopped the rest of what I wrote off. Bickering isn't something I like to do. Debating OTOH I quite enjoy.
Core i7 920 @stock - 6GB OCZ Mem - Adaptec 5805 - 2 x Intel X25-M in RAID1 - 5 x Western Digital RE4 WD1003FBYX 1TB in RAID 6 - Nvidia GTX 460
kc77
Gerbil Team Leader
 
Posts: 242
Joined: Sat Jul 02, 2005 2:25 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 7:10 am

http://mjg59.dreamwidth.org/20303.html? ... #cmt783183

Microsoft is involved in this method.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 7:25 am

Ryu Connor wrote:http://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183

Microsoft is involved in this method.


Using winsign.exe isn't exactly the same thing as Microsoft willingly signing for this purpose.
Core i7 920 @stock - 6GB OCZ Mem - Adaptec 5805 - 2 x Intel X25-M in RAID1 - 5 x Western Digital RE4 WD1003FBYX 1TB in RAID 6 - Nvidia GTX 460
kc77
Gerbil Team Leader
 
Posts: 242
Joined: Sat Jul 02, 2005 2:25 am

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 7:35 am

What?

Yes, they willingly provided it. It's why he had to pay $99 + notary costs to prove his identity.

The comment you quote at the bottom is just paranoid crank.

What he did is normal. This is what you do to get a signature from a public CA. Web e-commerce is built on this concept.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: Looks like the Linux Secure Boot issue has been solved!

Postposted on Mon Dec 03, 2012 7:38 am

Ryu Connor wrote:What?

Yes, they willingly provided it. It's why he had to pay $99 + notary costs to prove his identity.

The comment you quote at the bottom is just paranoid crank.

What he did is normal. This is what you do to get a signature from a public CA. Web e-commerce is built on this concept.


Now you are being disingenuous.
Core i7 920 @stock - 6GB OCZ Mem - Adaptec 5805 - 2 x Intel X25-M in RAID1 - 5 x Western Digital RE4 WD1003FBYX 1TB in RAID 6 - Nvidia GTX 460
kc77
Gerbil Team Leader
 
Posts: 242
Joined: Sat Jul 02, 2005 2:25 am


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 2 guests