Linked by Elv13 on Sun 17th Jun 2012 10:35 UTC
Hardware, Embedded Systems "The UEFI secure boot mechanism has been the source of a great deal of concern in the free software community, and for good reason: it could easily be a mechanism by which we lose control over our own systems. Recently, Red Hat's Matthew Garrett described how the Fedora distribution planned to handle secure boot in the Fedora 18 release. That posting has inspired a great deal of concern and criticism, though, arguably, about the wrong things."
Thread beginning with comment 522598
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: uefi disable
by pgeorgi on Mon 18th Jun 2012 09:02 UTC in reply to "uefi disable"
pgeorgi
Member since:
2010-02-18

distro makers should not offer to voluntarily go with MS's lockout plan.

Except if they want to compete in the server business (RHEL vs. Windows Server 8). Having a checkbox to tick "protected boot process" might come in useful when trying to secure government contracts, whereas having that checkbox empty might hurt sales.
Even NIST is aware that firmware level attacks might be a problem.

MJG is paid by Redhat, and so he will work on what's best for them. Compiling your own kernel is so far down the requirements lists for enterprise servers that they don't care about it much. They just need a way to _somehow_ get around the lock-down for their own development (and the geeks) - and right now, there is.

Reply Parent Score: 3

RE[2]: uefi disable
by acobar on Mon 18th Jun 2012 12:56 in reply to "RE: uefi disable"
acobar Member since:
2005-11-15

I failed to see how the proposed solution is somewhat unfitting. He asked for a simple jump or switch on motherboards, nothing more. I think it is the best and simplest solution I ever heard. It will not lessen what Red Hat can do or claim for their systems and provides a fair level playing field for all others involved on linux/*BSD, or whatever camps.

Reply Parent Score: 3

RE[3]: uefi disable
by pgeorgi on Mon 18th Jun 2012 16:00 in reply to "RE[2]: uefi disable"
pgeorgi Member since:
2010-02-18

I failed to see how the proposed solution is somewhat unfitting. He asked for a simple jump or switch on motherboards, nothing more. I think it is the best and simplest solution I ever heard.

After some kicking and screaming, Microsoft was coerced to require a soft switch (somewhere in the firmware menu) to disable secureboot in order to gain the Windows 8 Logo. That's not the concern.

There are numerous others, eg.: Will that switch cease to exist sometimes, eg. with Windows 9 Logo? Why can you only ever sign files, incl. UEFI drivers with one signature, which grants an effective monopoly to Microsoft?

It will not lessen what Red Hat can do or claim for their systems and provides a fair level playing field for all others involved on linux/*BSD, or whatever camps.

Using such a switch (no matter if hardware or software) prevents the "boots securely" checkbox item on the RHEL sales material. Redhat _needs_ secureboot capability - not so much for Fedora, but for RHEL.
I guess that they do it for Fedora is just a way to get it tested before they run it by their paying customers.

Reply Parent Score: 2