Announcement

Collapse
No announcement yet.

Linux Group Files Complaint With EU Over SecureBoot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hey Matthew, one question with this:

    Originally posted by mjg59 View Post
    2) Install an additional signing key alongside the Microsoft key. Use an OS signed with that key
    Does this mean we can generate our own custom key for enrollment into the UEFI key system without paying Verisign that $99? If so, how can it be done? And how can I sign a distro (say, Fedora?) with my own key, if possible?

    Comment


    • Originally posted by duby229 View Post
      It's not certified with out it. There are certain features that become disabled That even windows xp had. Driver signing which saved my ass a few times among others.
      Again, that 'Certified with Windows 8' sticker is just a label to tell users that machine which ships with Windows 8 preloaded has SB turned on by default. There are no features that get disabled (that I know of anyway) when running Windows 8 without Secure Boot. A non-certified machine running Windows 8 works exactly how a certified machine does sans the SB checks. If you want an anecdotal piece of evidence, the machine I am typing this on is a 5 yr old desktop that is dual booting Windows 8 and Fedora 17.

      Same logic with Fedora 18: install F18 with SB enabled and you cannot compile custom kernels or install unsigned kernel modules (that includes AMD's and Nvidia's binary drivers). Disable SB and full control is returned to the user.
      Last edited by Sonadow; 27 March 2013, 02:00 PM.

      Comment


      • Originally posted by Sonadow View Post
        Hey Matthew, one question with this:



        Does this mean we can generate our own custom key for enrollment into the UEFI key system without paying Verisign that $99? If so, how can it be done? And how can I sign a distro (say, Fedora?) with my own key, if possible?
        Yes, it absolutely means that. You just need an RSA key, which you can generate with OpenSSL, and then you can sign things with either sbsigntool or pesign. There's instructions on James Bottomley's blog.

        Comment


        • Originally posted by duby229 View Post
          It's not certified with out it. There are certain features that become disabled That even windows xp had. Driver signing which saved my ass a few times among others.
          The only difference between driver signing with Secure Boot disabled is that it's possible to disable it through test mode - it's still enabled by default. Do you have a list of any features that are disabled?

          Comment


          • Originally posted by mjg59 View Post
            Yes, it absolutely means that. You just need an RSA key, which you can generate with OpenSSL, and then you can sign things with either sbsigntool or pesign. There's instructions on James Bottomley's blog.
            Which part of Bottomley's blog has the instructions? I'm looking at http://blog.hansenpartnership.com/ef...ties-released/ and http://blog.hansenpartnership.com/ow...uefi-platform/ but there's no mention of sbsigntool or pesign, only efitools. And efitools reportedly work only on Debian, Ubuntu, Fedora and OpenSUSE but I would also like to sign my own copy of Mageia too.

            Comment


            • I can tell you for absolutely certain that on my board driver signiing does not work at all with Secureboot disabled. It works fine on Win7 tho.

              Comment


              • Originally posted by Sonadow View Post
                Which part of Bottomley's blog has the instructions? I'm looking at http://blog.hansenpartnership.com/ef...ties-released/ and http://blog.hansenpartnership.com/ow...uefi-platform/ but there's no mention of sbsigntool or pesign, only efitools. And efitools reportedly work only on Debian, Ubuntu, Fedora and OpenSUSE but I would also like to sign my own copy of Mageia too.
                http://blog.hansenpartnership.com/ow...uefi-platform/ tells you how to generate and enrol the keys. After that, just use sbsigntool to sign grub and, if you want, your kernel.

                Comment


                • Originally posted by duby229 View Post
                  I can tell you for absolutely certain that on my board driver signiing does not work at all with Secureboot disabled. It works fine on Win7 tho.
                  What do you mean by "Does not work"? What precise steps are you carrying out, what are the results and what did you expect instead?

                  Comment


                  • What if UEFI and secure boot was here 15 years ago? Would we be where we are today in the Linux world?
                    I see both sides of the argument here but I've yet to have to deal with it thankfully. Honestly It sounds like something a normal user will not know how to do. I think there is some credibility to the argument that this is conveniently being done now at a time that there is a major push towards linux supported by both Valve and Ubuntu and there is a lot of distaste over windows 8.
                    It seems like what we are arguing about is that
                    side a: Secure Boot for the average user as it is being implemented right now is Restricted Boot, plus MS keys and stupid OEMs
                    side b: No it is secure boot see I can work with it and a few distros have dealt with it

                    So my bottom line is would we be here today with Linux on so many personal computers if we had this stuff 15 years ago. Seems like a hurdle purposely placed there to hinder trying out linux easily. Now you will have to be content with going to youtube and watching the videos of this Linux system your friend at work said you should try out.

                    Comment


                    • Originally posted by sofar View Post
                      1) enter BIOS setup
                      2) disable secure boot

                      then, either:

                      3) disable UEFI boot / enable legacy boot
                      4) boot a normal MBR-style Linux installation image

                      or:

                      4) boot an EFI-enabled Linux installation image

                      I do this for work on a weekly basis, professionally.
                      Hows that preferable to just boot an EFI-enabled Linux installation image are you a masochist?

                      My issues with Secureboot
                      - it adds unneeded complexity (yes i want to boot my Linux DVD without going to BIOS and changing stuff)
                      - BFUs will be prevented from booting alternative OSes
                      - functionality is already there for those who need it TPM anyone?
                      - another issue to worry about when buying new motherboard (have anyone tried to find motherboards with IOMMU yes its PITA)

                      Comment

                      Working...
                      X