Page 11 of 22 FirstFirst ... 91011121321 ... LastLast
Results 101 to 110 of 216

Thread: Linux Group Files Complaint With EU Over SecureBoot

  1. #101
    Join Date
    Jun 2009
    Posts
    582

    Default

    Hey Matthew, one question with this:

    Quote Originally Posted by mjg59 View Post
    2) Install an additional signing key alongside the Microsoft key. Use an OS signed with that key
    Does this mean we can generate our own custom key for enrollment into the UEFI key system without paying Verisign that $99? If so, how can it be done? And how can I sign a distro (say, Fedora?) with my own key, if possible?

  2. #102
    Join Date
    Jun 2009
    Posts
    582

    Default

    Quote Originally Posted by duby229 View Post
    It's not certified with out it. There are certain features that become disabled That even windows xp had. Driver signing which saved my ass a few times among others.
    Again, that 'Certified with Windows 8' sticker is just a label to tell users that machine which ships with Windows 8 preloaded has SB turned on by default. There are no features that get disabled (that I know of anyway) when running Windows 8 without Secure Boot. A non-certified machine running Windows 8 works exactly how a certified machine does sans the SB checks. If you want an anecdotal piece of evidence, the machine I am typing this on is a 5 yr old desktop that is dual booting Windows 8 and Fedora 17.

    Same logic with Fedora 18: install F18 with SB enabled and you cannot compile custom kernels or install unsigned kernel modules (that includes AMD's and Nvidia's binary drivers). Disable SB and full control is returned to the user.
    Last edited by Sonadow; 03-27-2013 at 03:00 PM.

  3. #103
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by Sonadow View Post
    Hey Matthew, one question with this:



    Does this mean we can generate our own custom key for enrollment into the UEFI key system without paying Verisign that $99? If so, how can it be done? And how can I sign a distro (say, Fedora?) with my own key, if possible?
    Yes, it absolutely means that. You just need an RSA key, which you can generate with OpenSSL, and then you can sign things with either sbsigntool or pesign. There's instructions on James Bottomley's blog.

  4. #104
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by duby229 View Post
    It's not certified with out it. There are certain features that become disabled That even windows xp had. Driver signing which saved my ass a few times among others.
    The only difference between driver signing with Secure Boot disabled is that it's possible to disable it through test mode - it's still enabled by default. Do you have a list of any features that are disabled?

  5. #105
    Join Date
    Jun 2009
    Posts
    582

    Default

    Quote Originally Posted by mjg59 View Post
    Yes, it absolutely means that. You just need an RSA key, which you can generate with OpenSSL, and then you can sign things with either sbsigntool or pesign. There's instructions on James Bottomley's blog.
    Which part of Bottomley's blog has the instructions? I'm looking at http://blog.hansenpartnership.com/ef...ties-released/ and http://blog.hansenpartnership.com/ow...uefi-platform/ but there's no mention of sbsigntool or pesign, only efitools. And efitools reportedly work only on Debian, Ubuntu, Fedora and OpenSUSE but I would also like to sign my own copy of Mageia too.

  6. #106
    Join Date
    Nov 2007
    Posts
    1,353

    Default

    I can tell you for absolutely certain that on my board driver signiing does not work at all with Secureboot disabled. It works fine on Win7 tho.

  7. #107
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by Sonadow View Post
    Which part of Bottomley's blog has the instructions? I'm looking at http://blog.hansenpartnership.com/ef...ties-released/ and http://blog.hansenpartnership.com/ow...uefi-platform/ but there's no mention of sbsigntool or pesign, only efitools. And efitools reportedly work only on Debian, Ubuntu, Fedora and OpenSUSE but I would also like to sign my own copy of Mageia too.
    http://blog.hansenpartnership.com/ow...uefi-platform/ tells you how to generate and enrol the keys. After that, just use sbsigntool to sign grub and, if you want, your kernel.

  8. #108
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by duby229 View Post
    I can tell you for absolutely certain that on my board driver signiing does not work at all with Secureboot disabled. It works fine on Win7 tho.
    What do you mean by "Does not work"? What precise steps are you carrying out, what are the results and what did you expect instead?

  9. #109
    Join Date
    Nov 2012
    Location
    Camarillo, CA
    Posts
    77

    Default

    What if UEFI and secure boot was here 15 years ago? Would we be where we are today in the Linux world?
    I see both sides of the argument here but I've yet to have to deal with it thankfully. Honestly It sounds like something a normal user will not know how to do. I think there is some credibility to the argument that this is conveniently being done now at a time that there is a major push towards linux supported by both Valve and Ubuntu and there is a lot of distaste over windows 8.
    It seems like what we are arguing about is that
    side a: Secure Boot for the average user as it is being implemented right now is Restricted Boot, plus MS keys and stupid OEMs
    side b: No it is secure boot see I can work with it and a few distros have dealt with it

    So my bottom line is would we be here today with Linux on so many personal computers if we had this stuff 15 years ago. Seems like a hurdle purposely placed there to hinder trying out linux easily. Now you will have to be content with going to youtube and watching the videos of this Linux system your friend at work said you should try out.

  10. #110
    Join Date
    Mar 2012
    Posts
    184

    Default

    Quote Originally Posted by sofar View Post
    1) enter BIOS setup
    2) disable secure boot

    then, either:

    3) disable UEFI boot / enable legacy boot
    4) boot a normal MBR-style Linux installation image

    or:

    4) boot an EFI-enabled Linux installation image

    I do this for work on a weekly basis, professionally.
    Hows that preferable to just boot an EFI-enabled Linux installation image are you a masochist?

    My issues with Secureboot
    - it adds unneeded complexity (yes i want to boot my Linux DVD without going to BIOS and changing stuff)
    - BFUs will be prevented from booting alternative OSes
    - functionality is already there for those who need it TPM anyone?
    - another issue to worry about when buying new motherboard (have anyone tried to find motherboards with IOMMU yes its PITA)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •