dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1920
share rss forum feed


FF4m3

@verizon.net
reply to rexbinary

Re: Red Hat users pay up to run Fedora on Windows 8 machines

Found the following quote here in the Comments section:

There is an RFC draft protocol for Domain Authenticed Named Entities which introduces a new Transport Layer Security Assoication (search for RFC DANE) which is in its final stages before coming a full RFC. This new RFC will allow DNS administrators to become their own Certificate authorities providing they are using DNSSEC which signs their DNS records which can include Digital Certificates. If the EFI boot process supports that new TLSA then their will no need for anyone to buy a certificate from any CA providing an organisation puts its Root Certificate into DNS and Digitally Signs the record. So the $99 dollars is not well spent.
Just make sure that the EFI boot process supports the new TLSA.

Here's the draft:
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA draft-ietf-dane-protocol-21


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Here is Red Hat's official response:
Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.
»www.redhat.com/about/news/archiv···ure-boot
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.

TuxRaiderPen

join:2009-09-19

1 recommendation

said by rexbinary:
Here is Red Hat's official response:
Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.
»www.redhat.com/about/news/archiv···ure-boot

Well RH is as many know not exactly on my most liked Linux distros, and the NOT Welcome Mat and No Vacancy for them is definitely out!

This move only continues to ensure that continues.... As some one else here suggested... something stinks in this...in re RH's move...

As for UEFI... everyone is getting distracted by the "security" smoke and mirrors part of this crap! It has NOTHING TO DO WITH SECURITY. It makes a good cover story to LOCK OUT COMPETITION.

The issue is the complete, total, utter piece of crud a certain worthless pile of code posing as an OS is! Its so ridicously easy to infest these systems that have to go this route. ADDED BENEFIT, locks OUT COMPETITION for your product!

Thats the whole goal of this, regardless of what any of the companies involved in this spout... and the so called inventory is just being the shill to cover the real source of this and its goals.

Pay attention ASRock, etc... I am not going to purchase any MB wich this can not be completely 100% DISABLED! Or better non UEFI BIOS!

Same goes for you too Dell and company! We won't purchase any system that can not have the DISTRO of choice installed. Thats not the OS of choice, there is ONLY ONE CHOICE, its a distro choice. And well one set is out! Not that it ever was a choice to start any way...

RH, you protest too much! Theres more to this!


firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
reply to rexbinary
said by rexbinary:

Here is Red Hat's official response:

Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.

Carrot and a stick. Microsoft and good-faith, more like Red Hat being invited to the big boys table set before the kings.

As also said by tuxraider.. this is about locking the system and locking out competition by going along with a not-actual competitor's anti-competitive scheme. The friendly worded press releases are just fluff to keep the fans happy while using words that drive wedges and label those who don't agree as crazy in the minds of those who follow Red Hats path.
--
Say no to JAMS!


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Red Hat Drinks the Microsoft Kool-Aid
"One security threat that has been getting a lot of interest lately is the ability to ensure the integrity of the early boot sequence"

Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.

"The mechanism used to confirm the integrity of operating system software...uses traditional key signing and variations of checksumming... Performing the checks early is crucial as it provides a safe, verified starting point."

ORLY? Key signing is the answer, eh? Oopsie, no it isn't, as the Flame malware proves. Flame spoofs Microsoft's own Certificate Authority, takes over Windows Update, and fools Windows computers into thinking they're installing genuine proven-trusted signed Microsoft code.
»lxer.com/module/newswire/view/168183/
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Red Hat deal with Microsoft is a bad idea
In November 2006, when Novell signed a patent licensing deal with Microsoft, the free and open source software community, for the most part, was predictably appalled.

But recently when Red Hat announced that it had signed a deal with Microsoft to ensure that Linux could be installed on PCs that were Windows 8-capable - in other words, those that supported secure boot - there was very little outcry. Red Hat is now trying to justify this act.
»www.itwire.com/opinion-and-analy···bad-idea
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


FF4m3

@verizon.net
Thanks for the links. Good reads!

said by LXer :

Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.

said by iTWire :

What better illustration of the way Microsoft does things? It is repeatedly able to persuade seemingly sane companies to join hands with it - and then yanks the equivalent of the ball away at the last minute...

Embrace, extend and extinguish is what has made Microsoft.

It knows no other methods.

Red Hat will find out over the next few years that the leopard never changes its spots.

Very well stated.


rexbinary
Mod King
Premium
join:2005-01-26
Plano, TX
Reviews:
·Verizon FiOS
reply to rexbinary
Linus Torvalds on Windows 8, UEFI, and Fedora
Setting the anger aside, there’s something to all of this, but as Torvalds told me, “Yes, yes, the sky is falling, and I should be running around like a headless chicken in despair over signing keys. But as long as you can disable the key checking in order for kernel developers to be able to do their job, signed binaries really can be a (small) part of good security. I could see myself installing a key of my own in a machine that supports it.”

That said, Torvalds doesn’t think Microsoft’s spin on Windows 8 UEFI secure boot is really going to do for security. “The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that’s right, pretty much none of them) or they’ll just take advantage of security bugs in signed software to bypass it without a key at all.”

Torvalds concluded, “Signing is a tool in the tool-box, but it’s not solving all the security problems, and while I think some people are a bit too concerned about it, it’s true that it can be mis-used.”
»www.zdnet.com/blog/open-source/l···ra/11187
--
Verizon FiOS subscriber since 2005 | Mac owner since 1990 | Fedora user since 2006 | CentOS user since 2007 | "Anyone who is unwilling to learn is entitled to absolutely nothing." - graysonf | EDIT: I seldom post without an edit.


FF4m3

@verizon.net

Torvalds doesn’t think Microsoft’s spin on Windows 8 UEFI secure boot is really going to do for security. “The real problem, I feel, is that clever hackers will bypass the whole key issue either by getting a key of their own (how many of those private keys have stayed really private again? Oh, that’s right, pretty much none of them) or they’ll just take advantage of security bugs in signed software to bypass it without a key at all.”

If so, then just simply disable the thing to remove the issue and fogetaboutit. That's my plan.

Linux has not experienced similar security issues that face Microsoft & Windows. The whole thing is another Microsoft 'restraint-of-trade/competition' scam. Don't let MS put their own Windows fears into Linux users.


FF4m3

@verizon.net
reply to rexbinary
Interesting. Thanks for the link.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

reply to rexbinary
said by TuxRaiderPen:

I am not going to purchase any MB wich this can not be completely 100% DISABLED! Or better non UEFI BIOS!

Once again our resident nutbar shows he neither knows nor cares about security.

The real solution is to demand the ability to install your keys on the motherboard that matters. Then you can install Red Hat's signing key, Microsoft's signing key, or your own key.

I just cannot believe the FUD and froth about something that's not that difficult to understand.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


signmeuptoo
Bless you Howie
Premium
join:2001-11-22
NanoParticle
kudos:5
reply to rexbinary
So, I am confused a little. When you guys say "your own key" do you mean that a person can set the UEFI to any key you want to install? What happens if the UEFI/BIOS borks?

I am not the brightest bulb in the lamp, sorry, but I don't understand clearly.

If I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?

What is supposed to be the point of secure boot, is it just a way to drive sales?

It might be a while before I can build a new system, and I DON'T like Windows 8, its interface, but in a year or two when I want to build a system and dual boot with it, where will all of this leave me? I've dual booted for years, I am not a Linux genius and I've only tried SuSE and Mint of late, but if turning off secure boot is all that is needed, could MS retro design Win8 to reject a boot with secure boot turned off?

I am confused.
--
Join Teams Helix and Discovery. Rest in Peace, Leonard David Smith, my best friend, you are missed badly! Rest in peace, Pop, glad our last years were good. Please pray for Colin, he has ependymoma, a brain cancer, donate to a children's Hospital.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

1 recommendation

reply to Steve
Personally, I think backtracking to 1980's IBM PC-style firmware isn't going far enough. Real programmers key in the absolute loader; it's the only way you know it hasn't been compromised.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to signmeuptoo
said by signmeuptoo:

SIf I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?

Not guaranteed - it's a decision made by the BIOS implementor and the motherboard vendor. The only guarantee is that if you buy a *system* with a Microsoft Windows 8 logo, then you *will* be able to disable secure boot.

I'd guess, but it's only a guess, that major motherboard vendors will also follow suit. Cheapskates, maybe not so much.

What is supposed to be the point of secure boot, is it just a way to drive sales?

Anti-rootkit, basically. It's an assurance that what you're booting is what you think you're booting.


FF4m3

@verizon.net
reply to rexbinary
From DistroWatch:

Up to this point we have heard from Red Hat employees and Fedora developers on the subject of supporting secure boot, but what do developers of distributions derived from Fedora think of the move to support secure booting?

Chris Smart, the man behind the Kororaa distribution, summed up his thoughts in an e-mail as, "For me, it's sort of like this: If Fedora does not support secure boot, then neither Fedora nor remixes like Kororaa can boot on computers with secure boot enabled (that's obvious).

If Fedora does support secure boot however, then remixes still can't boot on computers with secure boot enabled (loosely speaking).

So actually, there's isn't really any freedom lost to Kororaa. We couldn't run on secure boot machines anyway, whether Fedora supported secure boot or not. The only advantage is that Fedora can (and we could too, if we got a key)."

Mr Smart goes on to say, "Kororaa will probably require users to disable secure boot if they want to run version 18, that's at least until we can get a clearer picture of what's happening...

I think it's important to realise too, that this only affects brand new computers (and those with secure boot enabled by default) -- that's going to be a small percentage of the user-base who are installing Linux in the short to medium term."

In an effort to clear up any misunderstanding Tim Burke, VP of Linux Engineering at Red Hat, has posted a blog of his own addressing the secure boot and signing key issue. The explanation contains some good news, "In the interest of freedom of choice, some users may not want to utilize this secure boot capability. In the UEFI system menu, they are able to disable the feature and things should operate like they do currently."

There's some less pleasant news too. Mr Burke also suggests people wishing to "Take Fedora and rebuild custom variants to meet personal interest or experiment in new innovations... can also participate by simply enrolling in the $99 one time fee to license." And he concludes on the hopeful note: "Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative."


TuxRaiderPen

join:2009-09-19
said by FF4m3 :
quote:
"Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative."

Suffice it to say you DRANK THE FLAVOR ADE and have joined the dark side! (Not that really was too far in my view!)

You can spin this all you want, its BS....

Linux users, developers et al need to Just say NO to secure boot! (Yes, maybe this is a good idea, possibly, maybe, IF it were IMPLEMENTED VASTLY DIFFERENT! And the micintelafia was not involved in this.. Intel may be a developing force behind UEFI, but you can gurantee it was at the behest of some one else, especially some of this which only serves to benefit one particular company and its crap software.

Its a solution to a problem that only plagues one alleged OS.

Don't let the smoke, mirros, dogs, ponnies, ballons, and sweet fruity drinks con you people! This is nothing about "security" its about competition lockout! Period.


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5

4 recommendations

reply to signmeuptoo
said by signmeuptoo:

So, I am confused a little. When you guys say "your own key" do you mean that a person can set the UEFI to any key you want to install?

Yes. The "spec" going forward is that Secure Boot will be in "Setup" or "Custom" mode. After completion of "Setup" or "Custom", the owner (who Dell, Lenovo, IBM, and HP consider the final paying customer to be the "owner") will have the ability to white list and black list the PeKs. The KeKs are trusted off of the PeKs. In addition, the "owner" with physical access to the computer can reset the PeK. "How" is not yet known, but "possible" is required under the specification.

said by signmeuptoo:

If I were to build an Ivy Bridge system/Intel chipset w/UEFI, is it guarenteed that I can turn off secure boot? Will I have to shop carefully for a board that will?

Yes. Current Ivy Bridge and Sandy Bridge UEFI motherboards do not have "Secure Boot".

said by signmeuptoo:

What is supposed to be the point of secure boot, is it just a way to drive sales?

said by LXer :

Only because the richest software company on the planet is utterly incompetent, and incapable of building a secure operating system. So instead they bully the rest of the world into trying to mitigate the security disaster that is Microsoft Windows.

said by iTWire :

What better illustration of the way Microsoft does things? It is repeatedly able to persuade seemingly sane companies to join hands with it - and then yanks the equivalent of the ball away at the last minute...

UEFI is replacing BIOS, a much needed step forward. This "replacement" was pretty much completed in 2010, very few Mobo's were shipped without either a UEFI emulator or pure UEFI with a BIOS emulator.

UEFI has many, MANY modules to it. One module is "Secure Boot" which is based off of an Intel initiative started in 1997. When Windows 8 launches later this year, OEM PC's and Mobo's will be required to have the Secure Boot module installed, enabled by default, and have a firmware option to disable it in order to receive the "Made for Windows 8" sticker (certification). Every other OS on the planet can also take part in the newly released UEFI version that includes Secure Boot.

Windows 8 does NOT requires Secure Boot to boot. It would lose "backwards compatibility" with customers, but more importantly, corporations/government. Windows 8 already has problems with corp/gov...

Microsoft is the first to the party for a Secure Boot OS in retail space, they are neither the inventors nor financially lucrative direct benefactors for Secure Boot. Linux and Unix have been at this game longer using closed source kernel modifications and programs in the government/corporate spaces.

AGAIN: Microsoft did not invent Secure Boot; Microsoft does not make money off of Secure Boot.

1. Who "owns" Secure Boot? Intel. US 5937063

2. Is Secure Boot new? The name in retail space: yes; the concept: no. Specific TPM and TXT, to include server and workstation, as well as mobile, have used Intel's EFI trusted boot in different variations since 2006, possibly earlier in government/ultra-cost corporate security. "Private" Linux has made good money off of using these specifications to secure servers and workstations. "Public" Linux has been against any sort of "trusted" or "secure" boot process where signing or BLOB insertion from a for-profit corporation is involved. This ain't new folks. UEFI is NOT-for-profit, so the "Microsoft" name is used as often and incorrectly as possible in reference to "Secure Boot" in order to continue the same argument without having to think too hard. Unfortunately, UEFI and "Secure Boot" isn't all that bad of an idea and direct marketing against it is NOT an option; it does help secure a boot against a rootkit, it can help stop USB sticks from infecting the entire network, it can allow corporations to "remotely kill" their stolen hardware's pre-installed OS. Since it can't be attacked directly, it must be attached to an already hate-inducing name for the mindless zombies to rise up. It is almost as if a double-agent works for Microsoft in their marketing department. They released exactly what was needed to excite the drooling zerg.

Linux options?
a. Shut off the newly implemented security feature.
b. Sign the boot files and process according to the UEFI (Intel's) specifications.

White papers on how to do b. exist from the LinuxFoundation as well as various OpenSource initiative groups. This is where fragmentation hurts. The hope was the kernel itself would step up and globally sign "Linux" for all. Each distro could then piggy back on the PeK for "LINUX".

Other distro's? Silent. Concerned, but silent. "Shut it off, move on" is the consensus in Gentoo, Arch, and even a majority opinion on the Ubuntu forums. RedHat is "for profit", though, and can NOT lose the security perception game.

3. Who implemented it for retail use, was it Microsoft? NO. Intel licensed EFI 1.10 to the UEFI board for use. They then terminated EFI. Future revisions to the spec will be owned, voted, and implemented from the UEFI board. The UEFI board was the one who voted and implemented Secure Boot for retail based off of "trusted computing" within the Intel EFI 1.10 spec; introduced in 2003.

4. Microsoft owns the board then, right? Close, but not really. Too many Apache server money making companies:
Members of UEFI board:
AMD and Intel: hardware manufacturers and HUGE open source contributors.
Insyde, American Megatrends Inc, Phoenix Technologies: the big "3" UEFI/BIOS writers. They sell to hardware only.
Lenovo, Dell, Hewlett Packard, IBM: OEM's... Hewlett Packard, IBM: They are ODM's for Unix/Linux, where most, if not all, of their profit resides.
Apple and Microsoft: The "big 2" closed source OS makers.

5. Microsoft needs "security" more than anyone else, so that is why they are pushing this?

Microsoft is first to the party implementing this tool to help stop rootkits. In the last decade, "security" has been lacking. It is an industry that is worsening, not getting tighter. Many websites get "hacked", passwords are found and spread, government's are committing "Cyber War". Linux is not immune to rootkits and rules the server market share world.

LINUX IS NOT IMMUNE TO ROOTKITS
Verifiable public proof? How about the 2 most well known:
Linux Kernel's Dev Boxes, Servers and Website Rooted in Hack
Rooted Smart phones

To claim Secure Boot is a Microsoft push to "fix their broken OS" is naive, ignorant, or just an awesome spectacular of stupid. Rootkits are affecting everything with "computing power" on the planet. Hardware vendors have a few solutions they want to implement with "service" revenue tied to them (non-retail spaces). Attacks are everywhere, security is needed now:

LARGE MONEY needs security and uses LINUX more than Microsoft. LARGE MONEY has been attacked with their "can't be attacked" Linux servers.
LARGE MONEY demands higher security.

Microsoft is a spec of dirt on planet LARGE MONEY... find a new straw man.
--
Show off that hardware: join Team Discovery and Team Helix


firephoto
We the people
Premium
join:2003-03-18
Brewster, WA
reply to TuxRaiderPen
said by TuxRaiderPen:

said by FF4m3 :
quote:
"Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative."

Don't let the smoke, mirros, dogs, ponnies, ballons, and sweet fruity drinks con you people! This is nothing about "security" its about competition lockout! Period.

You're on a roll this morning.

I agree this isn't much about real security, manipulating competition is far more important to the players involved who don't have much of a history of actually competing against each other.

This pandering to the secure boot settings ensures one thing too for sure, Microsoft will retain a large number of installations due to dual boot on oem machines and it's possibly what this whole psych game is about.

The reality of it is that it doesn't affect a majority slice of the overall Linux pie, just one of the more noisy pieces with a big corporate megaphone.
--
Say no to JAMS!

TuxRaiderPen

join:2009-09-19
said by firephoto:
You're on a roll this morning.

Try the veal.... tip your waitress... I am here all week! badddabump....

said by firephoto:
I agree this isn't much about real security, manipulating competition is far more important to the players involved who don't have much of a history of actually competing against each other.

This pandering to the secure boot settings ensures one thing too for sure, Microsoft will retain a large number of installations due to dual boot on oem machines and it's possibly what this whole psych game is about.
DING DING DING DING!! ! ! some one else who didn't drink or inhale!

said by firephoto:
The reality of it is that it doesn't affect a majority slice of the overall Linux pie, just one of the more noisy pieces with a big corporate megaphone.
Don't matter how much they are running their mouthpice, they don't have much positive "cred" with me. And with this I would serious start to question their involvement in things like the kernel and look at any code contribution as tainted and possible security risk.

This thing stinks more than a landfill on a 102 degree August day!


EUS
Kill cancer
Premium
join:2002-09-10
canada
Reviews:
·voip.ms
reply to rexbinary
Personally I'm just happy that all recent security issues have been cured by digital keys. First dns, now booting a machine.
Happy, happy, happy.
/sarc
--
~ Project Hope ~