Linked by Elv13 on Sun 17th Jun 2012 10:35 UTC
Hardware, Embedded Systems "The UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat's Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things."
Thread beginning with comment 522566
To read all comments associated with this story, please click here.
uefi disable
by l3v1 on Mon 18th Jun 2012 05:58 UTC
l3v1
Member since:
2005-07-06

On several occasions I've seen and heard the argument that easy disabling (e.g. including a simple switch in the bios/whatever you want to call it) should be a no-go. Then for crying out loud, at least provide a jumper on the mobo in an accessible place (anywhere on desktop/server boards, and near the ram slots on laptops) where those who care enough, can disable it.

Going for abominations like this Fedora plan (where you can't use your own compiled kernel, modified drivers, etc.) should be the absolute no-go, and distro makers should not offer to voluntarily go with MS's lockout plan. Instead they should join the effort in full to lobby for including the option to switch off UEFI SB on every and each UEFI hardware.

Reply Score: 7

RE: uefi disable
by pgeorgi on Mon 18th Jun 2012 09:02 in reply to "uefi disable"
pgeorgi Member since:
2010-02-18

distro makers should not offer to voluntarily go with MS's lockout plan.

Except if they want to compete in the server business (RHEL vs. Windows Server 8). Having a checkbox to tick "protected boot process" might come in useful when trying to secure government contracts, whereas having that checkbox empty might hurt sales.
Even NIST is aware that firmware level attacks might be a problem.

MJG is paid by Redhat, and so he will work on what's best for them. Compiling your own kernel is so far down the requirements lists for enterprise servers that they don't care about it much. They just need a way to _somehow_ get around the lock-down for their own development (and the geeks) - and right now, there is.

Reply Parent Score: 3

RE[2]: uefi disable
by acobar on Mon 18th Jun 2012 12:56 in reply to "RE: uefi disable"
acobar Member since:
2005-11-15

I failed to see how the proposed solution is somewhat unfitting. He asked for a simple jump or switch on motherboards, nothing more. I think it is the best and simplest solution I ever heard. It will not lessen what Red Hat can do or claim for their systems and provides a fair level playing field for all others involved on linux/*BSD, or whatever camps.

Reply Parent Score: 3

RE: uefi disable
by lucas_maximus on Mon 18th Jun 2012 13:04 in reply to "uefi disable"
lucas_maximus Member since:
2009-08-18

Going for abominations like this Fedora plan (where you can't use your own compiled kernel, modified drivers, etc.) should be the absolute no-go, and distro makers should not offer to voluntarily go with MS's lockout plan. Instead they should join the effort in full to lobby for including the option to switch off UEFI SB on every and each UEFI hardware.


That would mean death to them then.

Reply Parent Score: 2