| reply to FF4me
Re: Windows 8 Secure Boot Would 'Exclude' Linux From the Software Freedom Law Center -
Microsoft confirms UEFI fears, locks down ARM devices - January 12, 2012"
The new policy betrays the cynicism of Microsoft's initial response to concerns over Windows 8's secure boot requirement.
It is clear now that opportunism, not philosophy, is guiding Microsoft's secure boot policy.
Before this week, this policy might have concerned only Windows Phone customers. But just yesterday, Qualcomm announced plans to produce Windows 8 tablets and ultrabook-style laptops built around its ARM-based Snapdragon processors. Unless Microsoft changes its policy, these may be the first PCs ever produced that can never run anything but Windows, no matter how Qualcomm feels about limiting its customers' choices. SFLC predicted in our comments to the Copyright Office that misuse of UEFI secure boot would bring such restrictions, already common on smartphones, to PCs. Between Microsoft's new ARM secure boot policy and Qualcomm's announcement, this worst-case scenario is beginning to look inevitable. |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by FF4me :F Microsoft confirms UEFI fears, locks down ARM devices Well ain't this great.
Putting on my desperate-to-find-a-bright-side hat, the article says:Unless Microsoft changes its policy, these may be the first PCs ever produced that can never run anything but Windows, no matter how Qualcomm feels about limiting its customers' choices.
The question is: what pressures are there for the logo? I don't know how much users care, they mainly care that it actually works.
But I suspect that the OEM pays less for the OS for certified systems, and gets more advertising co-op dollars for certified/logo'd systems, so there are probably substantial financial incentives to go with the flow.
I do note that the hardware certification guide requires that the non-ARM OEMs provide a way for users to install their own keys, so Linux et al will be able to enjoy the benefits of secure boot, maybe this is a tradeoff that Microsoft thought would quiet the lockdown of ARM. I doubt that it will work.
Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site |
|
 MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | I think OEMs see that sticker as a big deal. Look at the crap that gets "Wind X Certified" stickers put on them. Monitors, mice, keyboards, all sorts of nonsense that just conforms to a standard and isn't built for any specific OS. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| said by Maxo:I think OEMs see that sticker as a big deal. Look at the crap that gets "Wind X Certified" stickers put on them.
I wonder where I can buy a computer with a sticker that says "Certified pirated software"?
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 9.0.1 |
|
| reply to Maxo
said by Maxo:I think OEMs see that sticker as a big deal. Look at the crap that gets "Wind X Certified" stickers put on them. Monitors, mice, keyboards, all sorts of nonsense that just conforms to a standard and isn't built for any specific OS.
Exactly. |
|
Reviews:
 ·AT&T Southwest
 ·Charter
| reply to FF4me
Why UEFI secure boot is difficult for Linux by Matthew Garrett of RedHat.
quote:
In this scenario, the signed Linux kernel is simply used as a malware loader. The only sign that anything is wrong is that boot will be slightly slowed down.
Signing the kernel isn't enough. Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen. That's going to make some people fairly unhappy.
|
|
|
|
MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | said by howardfine:Why UEFI secure boot is difficult for Linux by Matthew Garrett of RedHat.
quote:
In this scenario, the signed Linux kernel is simply used as a malware loader. The only sign that anything is wrong is that boot will be slightly slowed down.
Signing the kernel isn't enough. Signed Linux kernels must refuse to load any unsigned kernel modules. Virtualbox on Linux? Dead. Nvidia binary driver on Linux? Dead. All out of tree kernel modules? Utterly, utterly dead. Building an updated driver locally? Not going to happen. That's going to make some people fairly unhappy.
This is a great read and I encourage anyone interested in this topic to read it. Matthew really spells it out clearly.
His points on the problems with Custom mode are new to me and very interesting. I wonder what a reasonable solution is to it.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter
»maxolasersquad.com/
»maxolasersquad.blogspot.com
»www.facebook.com/maxolasersquad |
|
| said by Maxo:This is a great read and I encourage anyone interested in this topic to read it. +1
Garrett's conclusion:
We can write the code required to support secure boot on Linux in a minimal amount of time - in fact, most of it's now done. But significant practical problems remain, and so far we have no workable solutions for any of them. |
|
markofmayhemI can haz competition?Premium
join:2004-04-08
Pittsburgh, PA
kudos:4 | reply to Maxo
said by Maxo:I wonder what a reasonable solution is to it.
Centralized signing authority with the same author/key as the kernel itself or KeK's authorized by the central kernel key loosely based on Microsoft's WHQL program where repo's sync the binaries "downstream".
Others include:
Becoming the administrator key holder and self-signing anything you wish to run.
Opening a central key authority where end-users can register their own key and have their own local KeK ring to which they can sign their own projects.
Turning off Secure Boot, Windows 8 does not required it to boot, run, or be legal (just the sticker requires it, once the self-adhesive back is peeled and the glue meets the plastic, it can be shut-down, removed, etc)
"Cloud" based signatures where you locally compile, send the results upstream, it is signed with central authority for use on your KeK local ring only, then given back to YOU and only YOU. (destroy yourself all you want, can't hurt others mentality)
Politics is going to ruin this. Distro's for money will likely not agree, forcing the upstream kernel to desperately try to remain neutral when it should be taking lead.
--
Show off that hardware: join Team Discovery and Team Helix |
|
MaxoYour tax dollars at work.Premium,VIP
join:2002-11-04
Tallahassee, FL | My question was specifically, how can we have secure boot and be able to perform mass remote installs.
Secure boot is a good thing and only having the ability to disable it is a non-solution IMO.
I would very much like to put the Ubuntu key in my BIOS and feel safe that my PC is not booting anything I didn't authorize. |
|
markofmayhemI can haz competition?Premium
join:2004-04-08
Pittsburgh, PA
kudos:4 | said by Maxo:My question was specifically, how can we have secure boot and be able to perform mass remote installs....
I would very much like to put the Ubuntu key in my BIOS and feel safe that my PC is not booting anything I didn't authorize.
Define "Remote". Do you have physical access or not?
As for having Linux run under an operating Secure Boot EFI checking "POST":
Centralized signing authority with the same author/key as the kernel itself or KeK's authorized by the central kernel key loosely based on Microsoft's WHQL program where repo's sync the binaries "downstream".
Others include:
Becoming the administrator key holder and self-signing anything you wish to run.
Opening a central key authority where end-users can register their own key and have their own local KeK ring to which they can sign their own projects.
"Cloud" based signatures where you locally compile, send the results upstream, it is signed with central authority for use on your KeK local ring only, then given back to YOU and only YOU. (destroy yourself all you want, can't hurt others mentality)
--
Show off that hardware: join Team Discovery and Team Helix |
|
