dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1917
share rss forum feed


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS

Red Hat users pay up to run Fedora on Windows 8 machines

Users seeking to run Red Hat Fedora on a Windows 8-certified computer may be forced to shell out $99 to bypass Microsoft's new UEFI Secure Boot feature, according to Red Hat Linux developer Matthew Garrett. That, he said, is the best compromise the company could devise to ensure users could easily load Fedora on new PCs without giving itself an unfair edge over less-influential Linux vendors.
»www.infoworld.com/t/linux/red-ha···s-194594
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

If Microsoft held a gun to their head it would called robbery.

Seriously though, I don't see how this will not wind up in court. It interferes with commerce and seeks to create a monopoly.

me1212

join:2008-11-20
Pleasant Hill, MO

1 recommendation

The OEMs can choose to put secure boot on their machines, its not mandatory. Not to mention it wont effect existing RHEL boxes, plus this may be the push thats needed to make places start selling linux boxes.


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
said by me1212:

The OEMs can choose to put secure boot on their machines, its not mandatory.

Which desktop or laptop manufacturers are going to sell machines without the Windows 8 certification? None of the major ones for sure.
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.

me1212

join:2008-11-20
Pleasant Hill, MO
I thought it was only the ARM tablets that had that requirement.


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Hmm, now the story is changing.
In the approach Fedora chose, the organization would pay $99 to have Microsoft sign the binary release of the Fedora distribution. Although the cost for the certificates would be less than $200 a year for Fedora's twice-a-year release schedule, it still hands control of Fedora over to Microsoft, however nominally. With the key, the machine can check if the binary version of the distribution is identical to the one submitted to the key signer. Fedora engineers would then develop a bootloader -- a small program that loads the operating system when the computer is powered on -- that would provide the required Microsoft key to the hardware and then hand over operations to the standard bootloader. Garrett characterized this software as a "shim," one that would only add minimal delay to the booting process of a computer.
»www.infoworld.com/d/open-source-···page=0,0

Can someone please post the text of the original blog entry quoted in the story located here? (It's blocked here at work for some reason.)
»mjg59.dreamwidth.org/12368.html
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to rexbinary
said by rexbinary:

said by me1212:

The OEMs can choose to put secure boot on their machines, its not mandatory.

Which desktop or laptop manufacturers are going to sell machines without the Windows 8 certification? None of the major ones for sure.

Certification requirement is that the Secure Boot module is available to the EFI framework and defaulted to "ON". The option in "BIOS" to turn it off is also a default setting by Phoenix, AMI, and Insyde in the shipping EFI "BIOS" to the OEM's.

Please do not forget the MP3 hysteria by "Linux Developers" in the past. While the Secure Boot may come to non-dual boot fruition, there is more physical evidence that it will not than it will. The Samsung tablet (currently the only physical device to have Secure Boot) had a clear, concise, and easily accessible "ON-OFF" setting for Secure Boot.

In addition, new hardware purchased for enterprise will most likely be for Windows 7 deployments regardless if Windows 8 is "successful" over the next 12-18 months. Windows 7 would also require access to shut off "Secure Boot". Dell, HP, and particularly Lenovo would death march all new hardware without the ability to shut it down in the most profitable market: bulk enterprise. The money is on Linux dual boot's side thanks to Windows 7 among a plethora of other reasons.

Linux Foundation's Making UEFI Secure Boot Work With Open Platforms

In addition, Matthew Garret's quote above is INCORRECT

said by Matthew Garret :
Fedora 17 was released this week. It's both useful and free, and serves as a welcome addition to any family gathering. Do give it a go. But it's also noteworthy for another reason - it's the last Fedora release in the pre-UEFI secure boot era. Fedora 18 will be released at around the same time as Windows 8, and as previously discussed all Windows 8 hardware will be shipping with secure boot enabled by default. While Microsoft have modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys, it's not really an option to force all our users to play with hard to find firmware settings before they can run Fedora. We've been working on a plan for dealing with this. It's not ideal, but of all the approaches we've examined we feel that this one offers the best balance between letting users install Fedora while still permitting user freedom...

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
source

Since ya'll are too dumb to turn off the required by Microsoft EFI "BIOS" setting, Fedora is paying $99 for version 18.... one-off payment of $99 (unless I completely read that wrong?)
--
Show off that hardware: join Team Discovery and Team Helix


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
Thanks for the clarifications.
said by markofmayhem:

Since ya'll are too dumb to turn off the required by Microsoft EFI "BIOS" setting, Fedora is paying $99 for version 18.... one-off payment of $99 (unless I completely read that wrong?)

Turning it off all together is fine if you are only going to run Fedora. Personally I currently dual boot Fedora and Win 7. (I run Win 7 just for gaming.) While I doubt I'll be upgrading to Win 8, if I did have a need to dual boot Fedora and Win 8 I would need to enable the BIOS for secure boot to be able to boot Win 8. So just disabling secure boot might not be an option for everyone.
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
said by rexbinary:

Thanks for the clarifications.

said by markofmayhem:

Since ya'll are too dumb to turn off the required by Microsoft EFI "BIOS" setting, Fedora is paying $99 for version 18.... one-off payment of $99 (unless I completely read that wrong?)

Turning it off all together is fine if you are only going to run Fedora. Personally I currently dual boot Fedora and Win 7. (I run Win 7 just for gaming.) While I doubt I'll be upgrading to Win 8, if I did have a need to dual boot Fedora and Win 8 I would need to enable the BIOS for secure boot to be able to boot Win 8. So just disabling secure boot might not be an option for everyone.

That is not correct, Win 8 will boot with Secure Boot off (to support the billions of PC's currently working today and those that will be sold over the next 6 months). Secure Boot is not a requirement for the OS to boot, only the certification "sticker" on Intel/AMD x86 platforms.

ARM is very different, but again, the code to not allow Windows 8 to boot with Secure Boot off is not present there either. However, on ARM, the EFI itself has no option to be disabled.

Do not forget, the Samsung tablet with Secure Boot was also used to showcase Microsoft Windows 8's new "dual boot" screen with Windows 7. Secure Boot was disabled to accomplish this at Microsoft's show.
--
Show off that hardware: join Team Discovery and Team Helix


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
said by markofmayhem:

That is not correct, Win 8 will boot with Secure Boot off (to support the billions of PC's currently working today and those that will be sold over the next 6 months). Secure Boot is not a requirement for the OS to boot, only the certification "sticker" on Intel/AMD x86 platforms.

Gotcha.
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
Hopefully it stays this way

Intel's concept of Secure Boot is excellent, they are the fathers of it. The implementation that was rumored to execute it frightened many (single keyring holder). I do believe the outcry and hesitation to embrace it "as is" was warranted. I am sorry to see so much FUD cloud up the subject, but a little fire is needed to gain attention sometimes.

Skepticism will be needed on Secure Boot in the future, the pressure should remain.
--
Show off that hardware: join Team Discovery and Team Helix


firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
reply to markofmayhem
said by markofmayhem:

That is not correct, Win 8 will boot with Secure Boot off (to support the billions of PC's currently working today and those that will be sold over the next 6 months). Secure Boot is not a requirement for the OS to boot, only the certification "sticker" on Intel/AMD x86 platforms.

Kind of related...

So all stickered x86 Win8 hardware will only work in a UEFI secure boot mode with Win 8 or Fedora? and Microsoft holds the key to allowing this to work?

If someone decides to sell some flavor of hardware with Linux installed that has UEFI, does what's needed to provide signed bootloaders for this hardware, then in this case they would be the key holders and nobody else would be allowed to use this hardware in a UEFI secure boot mode without the permission of this Linux vendor?
--
Say no to JAMS!

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

3 edits
said by firephoto:

So all stickered x86 Win8 hardware will only work in a UEFI secure boot mode with Win 8 or Fedora?

Not the way I understand it.

Stickered x86 Win8 hardware will (a) ship with UEFI secure boot on (b) allow the user to turn secure boot off (c) boot Windows 8 either way.


OK, I think your 'only' was misplaced, causing me to misparse it as "will work with Win8 or Fedora only in UEFI secure mode".

On second thoughts I think you meant "will work in a UEFI secure boot mode only with Win8 or Fedora". Answer, it depends. Other software vendors can also do the same.


firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
Right, I get the impression that part of these rules is to make utilizing the benefits of the secure boot impossible or difficult without the approval of Microsoft. Fedora and Red Hat seem to be putting out the message that this is more about making things easier for the user installing Linux but it seems more likely that they'll get a benefit from being able to lock their installed systems down.
--
Say no to JAMS!


Drunkula
Premium
join:2000-06-12
Denton, TX
Reviews:
·Verizon FiOS

1 recommendation

reply to rexbinary
I've tried the preview versions of Win8. I definitely will NOT be upgrading to 8. Microsoft can go to hell for their practice of trying to leach money from non-Windows vendors. Just like their bullshit practice of forcing Android phone makers to pay up a fee to avoid being sued. In the criminal justice world I believe that is called extortion.
--
There are 10 types of people that understand binary numbers. Those that do - and those that do not...

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by Drunkula:

Microsoft can go to hell for their practice of trying to leach money from non-Windows vendors

They sure are going to be laughing all the way to the bank with that one-time charge of $99 per vendor.

As is said over and over, YOU CAN TURN OFF SECURE BOOT and then the PC is in the same state as if secure boot had never been invented. And still boot Windows 8.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to rexbinary
quote:
Garrett characterized this software as a "shim," one that would only add minimal delay to the booting process of a computer.
That makes it sound as if UEFI security is a mirage. But then perhaps Microsoft is a world leader in mirage pseudo-security.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 12.0

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
"shim" is fairly normal programmer-speak where I come from; a "shim", logically enough, is a thin layer inserted between two components that have not-quite-compatible interfaces.


FF4m3

@verizon.net
reply to dave
said by dave:

said by Drunkula:

Microsoft can go to hell for their practice of trying to leach money from non-Windows vendors

They sure are going to be laughing all the way to the bank with that one-time charge of $99 per vendor.

said by Matthew Garrett :

The $99 goes to Verisign, not Microsoft - once paid you can sign as many binaries as you want



firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
reply to rexbinary
»lists.fedoraproject.org/pipermai···623.html

Starting there and going into the replies from red hat people you can kind of get an idea from what's said (and not said) to the reasons for all this.

I'm sticking with my opinion that it's more about having a secure boot and ability to lock the system to the hardware than it is about keeping users happy with being able to install something and not having to change a "bios" setting.
--
Say no to JAMS!


FF4m3

@verizon.net
reply to rexbinary
Found the following quote here in the Comments section:

There is an RFC draft protocol for Domain Authenticed Named Entities which introduces a new Transport Layer Security Assoication (search for RFC DANE) which is in its final stages before coming a full RFC. This new RFC will allow DNS administrators to become their own Certificate authorities providing they are using DNSSEC which signs their DNS records which can include Digital Certificates. If the EFI boot process supports that new TLSA then their will no need for anyone to buy a certificate from any CA providing an organisation puts its Root Certificate into DNS and Digitally Signs the record. So the $99 dollars is not well spent.
Just make sure that the EFI boot process supports the new TLSA.

Here's the draft:
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA draft-ietf-dane-protocol-21


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Here is Red Hat's official response:
Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.
»www.redhat.com/about/news/archiv···ure-boot
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.

TuxRaiderPen

join:2009-09-19

1 recommendation

said by rexbinary:
Here is Red Hat's official response:
Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.
»www.redhat.com/about/news/archiv···ure-boot

Well RH is as many know not exactly on my most liked Linux distros, and the NOT Welcome Mat and No Vacancy for them is definitely out!

This move only continues to ensure that continues.... As some one else here suggested... something stinks in this...in re RH's move...

As for UEFI... everyone is getting distracted by the "security" smoke and mirrors part of this crap! It has NOTHING TO DO WITH SECURITY. It makes a good cover story to LOCK OUT COMPETITION.

The issue is the complete, total, utter piece of crud a certain worthless pile of code posing as an OS is! Its so ridicously easy to infest these systems that have to go this route. ADDED BENEFIT, locks OUT COMPETITION for your product!

Thats the whole goal of this, regardless of what any of the companies involved in this spout... and the so called inventory is just being the shill to cover the real source of this and its goals.

Pay attention ASRock, etc... I am not going to purchase any MB wich this can not be completely 100% DISABLED! Or better non UEFI BIOS!

Same goes for you too Dell and company! We won't purchase any system that can not have the DISTRO of choice installed. Thats not the OS of choice, there is ONLY ONE CHOICE, its a distro choice. And well one set is out! Not that it ever was a choice to start any way...

RH, you protest too much! Theres more to this!


firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
reply to rexbinary
said by rexbinary:

Here is Red Hat's official response:

Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.

Carrot and a stick. Microsoft and good-faith, more like Red Hat being invited to the big boys table set before the kings.

As also said by tuxraider.. this is about locking the system and locking out competition by going along with a not-actual competitor's anti-competitive scheme. The friendly worded press releases are just fluff to keep the fans happy while using words that drive wedges and label those who don't agree as crazy in the minds of those who follow Red Hats path.
--
Say no to JAMS!


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Red Hat Drinks the Microsoft Kool-Aid
"One security threat that has been getting a lot of interest lately is the ability to ensure the integrity of the early boot sequence"

Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.

"The mechanism used to confirm the integrity of operating system software...uses traditional key signing and variations of checksumming... Performing the checks early is crucial as it provides a safe, verified starting point."

ORLY? Key signing is the answer, eh? Oopsie, no it isn't, as the Flame malware proves. Flame spoofs Microsoft's own Certificate Authority, takes over Windows Update, and fools Windows computers into thinking they're installing genuine proven-trusted signed Microsoft code.
»lxer.com/module/newswire/view/168183/
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Red Hat deal with Microsoft is a bad idea
In November 2006, when Novell signed a patent licensing deal with Microsoft, the free and open source software community, for the most part, was predictably appalled.

But recently when Red Hat announced that it had signed a deal with Microsoft to ensure that Linux could be installed on PCs that were Windows 8-capable - in other words, those that supported secure boot - there was very little outcry. Red Hat is now trying to justify this act.
»www.itwire.com/opinion-and-analy···bad-idea
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


FF4m3

@verizon.net
Thanks for the links. Good reads!

said by LXer :

Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.

said by iTWire :

What better illustration of the way Microsoft does things? It is repeatedly able to persuade seemingly sane companies to join hands with it - and then yanks the equivalent of the ball away at the last minute...

Embrace, extend and extinguish is what has made Microsoft.

It knows no other methods.

Red Hat will find out over the next few years that the leopard never changes its spots.

Very well stated.


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Linus Torvalds on Windows 8, UEFI, and Fedora
Setting the anger aside, there’s something to all of this, but as Torvalds told me, “Yes, yes, the sky is falling, and I should be running around like a headless chicken in despair over signing keys. But as long as you can disable the key checking in order for kernel developers to be able to do their job, signed binaries really can be a (small) part of good security. I could see myself installing a key of my own in a machine that supports it.”

That said, Torvalds doesn’t think Microsoft’s spin on Windows 8 UEFI secure boot is really going to do for security. “The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that’s right, pretty much none of them) or they’ll just take advantage of security bugs in signed software to bypass it without a key at all.”

Torvalds concluded, “Signing is a tool in the tool-box, but it’s not solving all the security problems, and while I think some people are a bit too concerned about it, it’s true that it can be mis-used.”
»www.zdnet.com/blog/open-source/l···ra/11187
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


FF4m3

@verizon.net

Torvalds doesn’t think Microsoft’s spin on Windows 8 UEFI secure boot is really going to do for security. “The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that’s right, pretty much none of them) or they’ll just take advantage of security bugs in signed software to bypass it without a key at all.”

If so, then just simply disable the thing to remove the issue and fogetaboutit. That's my plan.

Linux has not experienced similar security issues that face Microsoft & Windows. The whole thing is another Microsoft 'restraint-of-trade/competition' scam. Don't let MS put their own Windows fears into Linux users.


FF4m3

@verizon.net
reply to rexbinary
Interesting. Thanks for the link.