Announcement

Collapse
No announcement yet.

The UEFI SecureBoot Saga For Linux Continues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    "No matter how much lipstick you put on it, this is a defeat for the open source world and for computing in general. Red Hat's efforts to mitigate the problem are laudable, but the truth is that starting from today, your computer is designed not to trust you, doesn't actually belong to you, and you are only "conceded" the grant to write software that doesn't interfere with the interests of the "external owners" of the hardware you paid for. And this is true only as long as "secure boot" isn't made a fixed feature (which is clearly the next step - they've already done it on ARM!). After that we'll only be consumers. First they came for the smartphones, then they came for the tablets...

    Saying that this is done for the user's security is like believing that curfews and censorship are in the interest of the security of well-behaving citizens (ask Franklin about that). So flags down, this is a sad day for the PC architecture. Microsoft won in the end. "

    this is pure BS. the problem is the architectural design of the kernel and the bootloader that is making it hard to sign and track it, not MS's evil plans. Linux evangelists have been wallowing in self-pity for twenty years. No-one is "after", mmk. The reason your monolithic piece of crap hasn't taken the world by a storm is because no one is buying what you are selling, sister.

    Comment


    • #47
      Originally posted by Kano View Post
      I still don't get your point, ms definitely stated that on x86 platform the uefi setup MUST provide an option to disable secure boot. Only on ARM there may NOT be an option to disable it. That makes it non trivial if you dont want to desolder the eeprom of course, but maybe you find a spi interface to use. UEFI is not graved into stone, if you want to modify it, you find a way.
      Unless they've changed things recently, that's not true.

      ON x86 platform mobo manufacturer's were supposed to provide the option, but it was optional whether they wanted to include it or not, and some of them were already saying they might not.

      Personally, i expect it will be a lot like the overclocking options MBs come with. Most of the ones you can buy off the shelf will probably have the option. But will that OEM machine you bought from Dell or HP? I wouldn't count on it.

      Comment


      • #48
        Originally posted by peppepz View Post
        No matter how much lipstick you put on it, this is a defeat for the open source world and for computing in general.
        Agreed. This sucks. My respect for Redhat goes down a notch. Don't give 'em an inch, don't play their game.

        Comment


        • #49
          Originally posted by garegin View Post
          this is pure BS. the problem is the architectural design of the kernel and the bootloader that is making it hard to sign and track it, not MS's evil plans. Linux evangelists have been wallowing in self-pity for twenty years. No-one is "after", mmk. The reason your monolithic piece of crap hasn't taken the world by a storm is because no one is buying what you are selling, sister.
          In the unlikely case that you're really convinced of what you're saying, no, the problem is not architectural but political. To make it simple:

          1) Code signing with no access to the "key" is against the interest of the developer, and therefore of the user.
          2) Microsoft has the "key".
          3) Everyone else hasn't, and adding other keys is a pain in the a**, and has been done deliberately so by Microsoft.

          And the only reasons for this royal pain are:

          1) Windows piracy. Windows is currently cracked by pre-boot tricks and Microsoft understandably want to stop that. Of course, doing so by locking de facto all PCs to their own product is not an acceptable solution for anybody, but them.
          2) Microsoft store. Microsoft want to sell applications and DRM-protected media through their one and only application store, and in order to to this, they need to assure Hollywood that they're in control of your own machine, not you (hence "integrity measurement").

          Comment


          • #50
            The ms way to "fix" piracy is much simpler, they require activation even for oem systems. currently every oem has got one token in the bios, a cert and one product key (the key is not bound against the cert). so to pirate win the bios token (slic) is emulated or the bios is patched to have got one. btw. that leads to the funny fact that even when you have got the starter edition you just need to exchange the oem key to get the ultimate one the most simple approach to fix this issue is to require unique product keys for each system and reject keys which are activated too often. thats of course much more expensive for the oems as they need to preload the right key onto each system. that has got nothing to do with secure boot in the first place. even when ms would require uefi for oem activation and would not change the rest it would be cracked the day of release. maybe they could require secure boot for the first activation process, would be at least one option to make it harder, but time will tell. i doubt that ppl will buy more retail/update licences - just early adopters who did the same for w7.
            Last edited by Kano; 06-02-2012, 03:44 AM.

            Comment


            • #51
              i doubt piracy is such a problem. every computer comes with windows preinstalled. other than that, hackers will always find a way to crack it.

              Comment


              • #52
                Well maybe not every system, the home build ones definitely not. But maybe ask ms if they want that you run another system or that you pirate their os when you refuse to pay Currently you can get the preview for free and run it 1 y as well.

                Comment


                • #53
                  Disclaimer: had a few drinks so forgive me if I ramble..

                  Originally posted by slojam View Post
                  Agreed. This sucks. My respect for Redhat goes down a notch. Don't give 'em an inch, don't play their game.
                  I don't see how Redhat had a choice. So far on what I've read about this MS have somehow managed to introduce/support this and hold all hardware manufacturers that want to produce hardware for Windows to ransom. Previously I'd heard SecureBoot didn't need to be enabled by default on x86 (only ARM) to be compliant for the 'Windows Certified' Sticker. Lately I've heard conflicting stories about that so I'm getting seriously concerned now, if the confusion has started already then "free" computing is in serious trouble.

                  Originally posted by garegin View Post
                  this is pure BS. the problem is the architectural design of the kernel and the bootloader that is making it hard to sign and track it, not MS's evil plans. Linux evangelists have been wallowing in self-pity for twenty years...
                  waffle waffle, blah blah. Stopped reading about this point. Clearly you are a troll and I really wonder why this type of person even STUMBLES across phoronix let alone registers and posts in a thread about something! If your post made even a shred of sense I might have even drank the koolade and responded but oh well.

                  Originally posted by peppepz View Post
                  I think that making the OSes of all players in the OS market a pain in the a.. to use, except for the one of the dominant player, is definitely anti-competitive
                  IANAL, but I agree completely and I don't understand why there hasn't been talk of a lawsuit already (though once again IANAL which probably explains that ). This seems like a grab for power for Microsoft to introduce a trusted computing paradigm for the standard PC and tablet market.
                  This is the worst type of anti-competitive practice I've seen yet from any company or at least the one with the most potential to cause damage, I just hope the confusion I'd heard recently about SecureBoot and x86 was wrong otherwise we're all in for a world of pain - and forget the marketshare of Linux increasing.... ever again probably.

                  Actually while I'm at it, can someone explain to me how it came to be that Microsoft is one of the companies that came to be one that gets paid for signing the SecureBoot keys? Anyone got some nice links/history to read about this?

                  (</end ramble>)

                  Comment


                  • #54
                    http://www.coreboot.org/Welcome_to_coreboot

                    If you cannot see that secureboot is heading to some heavy Digital Restrictions Management... The solution is to stop accepting a proprietary bios and invest more money into the coreboot project or somethign similar so it supports more recent boards. Then stay away from this EFI junk. If you give in now in 5 years time any software you get will have to first be agreed and signed by Microsoft, literally software will only be able to be installed from the microsoft store. Even if I was a Windows users I would not want this anywhere near my platform. Originally we had TPM and that was agreed that it would NEVER EVER ship enabled, and the customer would be responsible for taking ownership and enabling.

                    It's time to take back control from the hardware manufacturers, you should boycot anything with EFI or secure boot. The best solution for redhat is to start selling redhat certified hardware and forget about installing on secure boot platforms - how many manufactures claim that installing linux voids your warrenty anyway. Spend the time complaining to whatever trade regulator there is about anti-competative behaviour. We NEED to go back to the 90's and fight this war over again, and this time microsoft needs to die and stay dead.

                    Comment


                    • #55
                      Like it or not, Secure Boot is a reality, and there is nothing anyone can do to prevent it from making its way into desktops and notebooks.

                      Does Red Hat's actions make it look as though they have sold out? Maybe. So? Who cares? At least they are taking steps to ensure that Linux remains installable on commodity desktops and notebooks, and that they will be providing all the tools needed to ensure that one can sign their stuff and whitelist out-of-tree / custom / proprietary drivers. I quite like the idea of using a signed shimloader to chainload GRUB2 as a starting point.

                      Also, as stated before, Microsoft has committed themselves to Secure Boot, and you can bet subsequent versions of Windows (eg: Windows 9 and later) may even outright mandate Secure Boot as an installation requirement, with OEMs and motherboard vendors being barred from providing a 'Disable Secure Boot' option in the UEFI menu. This means that Linux distributions will eventually have to work with Secure Boot whether we like it or not, and delaying the inevitable is NOT the way to go about it. Better to have all the pains and headaches right now in flushing out how Linux can be made to play nice with Secure Boot so that a more elegant implementation can be achieved in subsequent years.

                      I, for one, would rather have Linux running well on Secure Boot and distributions providing tools to facilitate self-signing so that we can continue doing what we want on our computers, such as installing new / custom kernels or out-of-tree / proprietary drivers.

                      EDIT: Ideally, the establishment of a central signing authority for Linux would be the better solution in the long term. That, combined with the releasing of software tools to allow every single Tom, Dick or Harry to sign their own software, kernel, kernel modules, out-of-tree drivers, proprietary drivers etc etc would essentially make Secure Boot a non-issue. After all, Linux users tend to know what they are doing and will only run unsigned code if they are certain about its origins and source. Making it easy for these users to sign such third-party code on their own for use in their operating system should be a priority.
                      Last edited by Sonadow; 06-03-2012, 04:19 AM.

                      Comment


                      • #56
                        Just so you know America (USA) is not the center of the world, there is no way we can let American (USA) companies (Microsoft and Verisign) control our hardware, regardless of what OS we are using. Red Hat are an American company and thus are in the pockets of Microsoft and the american government. They cannot be trusted.

                        Having a global Linux signing key is also unacceptable, whate about custom built kernels? Or BSD and other non Linux. The fact is this is all money going to Verisgn a commercial non open source american company. This is a huge security risk. The point is I should receive my computer, it starts up, and asks me to create a password, I select one and then keys are generated in a secure tamper resitant storage. These keys are then used to sign operating systems I trust by my own verification, and entering the password again. There is nothing stopping Microsoft putting rootkits, or even vndors putting in root kits into their own version of Windows, and then signing this as if it was secure when it clearly is not. The same would go for fedora, they are an American company I do not trust them after this, I do not trust them to have a key for software on my computer without my input.

                        Just because Microsoft decide OEMS have to do something does not mean we should all bow down and do it.

                        The point about consumers is if you refuse to buy something because of some reason, then it gets fixed. Therefore what we can do about SecureBoot is boycot. I for one am removing all my contacts, phone, email, social, from any one who will be using a Secure Boot system as it currently stands. I will not be buying any new hardware. If you do not boycot EFI and Secure Boot then you clearly are just another Microsoft/American puppet using Linux and free software to be cool, and not becuase you really believe anything.

                        Originally posted by Sonadow View Post
                        Like it or not, Secure Boot is a reality, and there is nothing anyone can do to prevent it from making its way into desktops and notebooks.

                        Does Red Hat's actions make it look as though they have sold out? Maybe. So? Who cares? At least they are taking steps to ensure that Linux remains installable on commodity desktops and notebooks, and that they will be providing all the tools needed to ensure that one can sign their stuff and whitelist out-of-tree / custom / proprietary drivers. I quite like the idea of using a signed shimloader to chainload GRUB2 as a starting point.

                        Also, as stated before, Microsoft has committed themselves to Secure Boot, and you can bet subsequent versions of Windows (eg: Windows 9 and later) may even outright mandate Secure Boot as an installation requirement, with OEMs and motherboard vendors being barred from providing a 'Disable Secure Boot' option in the UEFI menu. This means that Linux distributions will eventually have to work with Secure Boot whether we like it or not, and delaying the inevitable is NOT the way to go about it. Better to have all the pains and headaches right now in flushing out how Linux can be made to play nice with Secure Boot so that a more elegant implementation can be achieved in subsequent years.

                        I, for one, would rather have Linux running well on Secure Boot and distributions providing tools to facilitate self-signing so that we can continue doing what we want on our computers, such as installing new / custom kernels or out-of-tree / proprietary drivers.

                        EDIT: Ideally, the establishment of a central signing authority for Linux would be the better solution in the long term. That, combined with the releasing of software tools to allow every single Tom, Dick or Harry to sign their own software, kernel, kernel modules, out-of-tree drivers, proprietary drivers etc etc would essentially make Secure Boot a non-issue. After all, Linux users tend to know what they are doing and will only run unsigned code if they are certain about its origins and source. Making it easy for these users to sign such third-party code on their own for use in their operating system should be a priority.

                        Comment


                        • #57
                          Coreboot

                          My next system will either have Coreboot or a regular bios. Under no circumstance will it have UEFI because I simply dissagree with what it stands for. It is NOT secure!

                          Comment


                          • #58
                            Is the current method of doing things really *that* bad that it requires this SecureBoot functionality to save us?

                            Comment


                            • #59
                              Originally posted by johnc View Post
                              Is the current method of doing things really *that* bad that it requires this SecureBoot functionality to save us?
                              No. It's all about Microsoft wanting control of our machines. The UEFI spec itself is has bugs which could compromise the security of SecureBoot. Anybody who really wanted to infect the computer still could be able to do it. On the other side Coreboot is BIOS which _only_ initialises hardware, so the security lies in the operating system. We all know, how secure the systems are, don't we? I hope for a major breach of SecureBoot to happen soon, so that it won't become the standard.

                              Comment


                              • #60
                                Check this PDF link....

                                https://www.blackhat.com/presentatio...07-heasman.pdf

                                Secure my ass.

                                Comment

                                Working...
                                X