UEFI Secure Boot in Fedora 18 will use Microsoft signed key

[ocky]

http://mjg59.dreamwidth.org/12368.html

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.

OR

[MyWorld]

I have only read the first half of the article, I'll read it more thoroughly tonight, but at least there is an option (or so it would seem) to turn it off in the BIOS?

If not, then I smell another lawsuit heading MS' way.

For me , just because it forces everyone to dance to the tune of one company.

[ponder]

I have only read the first half of the article, I'll read it more thoroughly tonight, but at least there is an option (or so it would seem) to turn it off in the BIOS?

If not, then I smell another lawsuit heading MS' way.

For me , just because it forces everyone to dance to the tune of one company.

Future ARM based stuff is even worse from what I gather.

[ocky]

I have only read the first half of the article, I'll read it more thoroughly tonight, but at least there is an option (or so it would seem) to turn it off in the BIOS?

If not, then I smell another lawsuit heading MS' way.

For me , just because it forces everyone to dance to the tune of one company.

The option to turn it off will depend on the Hardware manufacturer - most may decide not to turn it off.

[MickZA]

The option to turn it off will depend on the Hardware manufacturer - most may decide not to turn it off.

This could well be the case with Windows pre-installed branded systems, Dell Lenovo etc, but I doubt the after-market/specialized MB guys like Asus, Gigabyte, MSI etc will go for it.

Of more interest is the implication that some linux modules (nvidia for example) would need to be included in the Linux kernel for UEFI enabled systems, it would seem that this would apply to Microsoft as well which could pose problems for gamers with esoteric graphics cards.

In any event it's good to see that Fedora are planning ahead, a once off $99 seems a small price to pay for access to UEFI locked systems. I just hope the smaller boot media players like Hirens Boot & System Rescue to name just two are paying attention.

[MyWorld]

I had to do a bit of reading on this in general, still not done, but for those who do not know what UEFI entails:

[MyWorld]

From the OP:

While Microsoft have modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys, it's not really an option to force all our users to play with hard to find firmware settings before they can run Fedora.

So far it seems you will have the option to disable this, but what is the point of secure boot then?

"Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled," Garrett blogged. "A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux."

That said Garrett added that, "there's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code."

http://www.internetnews.com/blog/ske...inux-risk.html

I gather this seems to only affect PC's that comes preloaded with Windows 8. Why in the word they would want a secure boot feature I cannot yet fathom. The only reason I can think of is to totally disable a pirate PC to even boot the OS, but lets face it, if you are nerdy enough to pirate an OS then you are probably clever enough to work a BIOS!

Secure boot is a controversial[70][71][72][73] UEFI-based feature to "prevent unauthorized firmware, operating systems, or UEFI drivers from running at boot time".[74]

Hardware makers who choose the optional Microsoft Certification will be required to implement UEFI. Microsoft will also require that manufacturers offer the ability to turn off the secure boot feature on x86 hardware, but they must not offer such an option on ARM hardware. No mandate is made regarding the installation of 3rd party certificates that would enable running alternate software.[75][76][77]

In September 2011, Matthew Garrett, an employee of competitor Red Hat, raised the possible risk of Microsoft locking out alternative systems,[78] leading to media coverage.[79][80][81][82] Microsoft addressed the issue in a blog post,[83][84] stating "the customer is in control of their PC. Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves"[85] which confirmed PCs would allow users to disable the feature.[86][87][88][89] In January 2012, the company released specifications for Windows on ARM devices; Secure Boot can never be disabled on ARM devices,[72][90][91][92] causing concerns,[93][94][95] particularly in the Linux community.[96][97][98]

http://en.wikipedia.org/wiki/Windows_8#Secure_boot

I still cannot understand why they would push so hard for secure boot. If I'm reading this right then it will not only have problems for the Linux community, but you cannot flash any of your hardware with non-secure firmware, your PC will just refuse to boot!
It has been a long time since I dabbled with over clocking but we used to flash custom images for everything - motherboard, graphics cards, hard drive firmware, whatever we could to get a few more seconds out of SuperPI. You will not be able to do so any more according to the article.
There was enhanced drivers released to squeeze a little juice out of your Nvidia or Radeon card, will this still be possible?

At this point it looks like one mayor ball and chain solution that fits into the plans of only one company and I hope someone takes them on with this.

[MickZA]

So far it seems you will have the option to disable this, but what is the point of secure boot then?

As I understand it it was basically a "Nanny State" approach to rootkits, see discussion here:
http://www.pcreview.co.uk/forums/win...-t4042956.html

The orginal concern of the Linux community was that all preloaded Win 8 systems would have UEFI "locked on" in the BIOS (which, when you think about it, would also assist Dell etc in their support role as it would prevent third party upgrades to their stock model line) and you wouldn't be able to dual boot or load Linux, FreeDOS etc. It seems that MS have softened their approach and will licence UEFI keys for such systems.

[MyWorld]

I must have been comatose to only now hear of this, and it will be interesting to see this play out and the real world impact it will have on pre-installed and post-install systems.

It seems even in the discussion you linked there is a lot of unknowns and gibberish. One reply that I lean towards:

Be that as it may, my point then and now is that having measured
(hashed) the earliest code, you will need to have the data that you
compare it to, in storage that is accessible by the program doing the
comparing. You measure the code, compare the measurement to the stored
equivalent, and release a key to allow you to take the next step.

All this, even before you have access to disk.

Unfortunately, use of the TPM goes beyond that early boot axis integrity
checking aspect - extending into OS and "Application"
integrity/licensing DRM crap and possible tagging.

More reading:
Windows 8 isn't even released yet and the "secure boot" is already compromised. OUCH!
http://arstechnica.com/business/2011...8-secure-boot/

At the upcoming MalCon security conference in Mumbai, Austrian independent developer and security analyst Peter Kleissner is scheduled to release the first known "bootkit" for Windows 8—an exploit that is able to load from a hard drive's master boot record and reside in memory all the way through the startup of the operating system, providing root access to the system. The exploit allegedly defeats the security features of Windows 8's new Boot Loader.

He even wrote a paper on it! LOLOLOL

Kleissner said he has shared his research and paper and the paper he plans to present, "The Art of Bootkit Development," with Microsoft.

[MickZA]

The efficacy of UEFI aside I think with the advent of Win 8 & Google OS we have to accept that, for many, the traditional desktop/laptop/netbook computer will be discarded in favour of tablets - essentially a consumer device a'la game consoles, TVs, MP3 players and the like. In the new tablet world UEFI has a role if can protect the user against themselves (PEBKAC errors along the lines of "I bricked my tablet").

For the traditional desktop system I suspect that UEFI will be switchable, I'm guessing at jumper control as opening the box might deter some of the less computer literate - and invalidate their warranty

[MickZA]

Asus had a busy day, also revealing a new Windows 8 tablet based on ARM processors. While Asus’s new tablet/laptop hybrids are Windows 8-only, Asus will continue supporting Android with an 18.4-inch desktop PC that dual boots both Windows 8 and Google’s mobile OS, according to Engadget. We'd think a Windows 8/Android dual-boot would be more useful in a handheld tablet, but with Computex just getting started, there should be many more devices on the way.

source: http://arstechnica.com/information-t...-laptoptablet/

No mention of UEFI and might allay a few fears.

[ocky]

More .. http://www.redhat.com/about/news/arc...fi-secure-boot

[MickZA]

More .. http://www.redhat.com/about/news/arc...fi-secure-boot

... and another Microsoft conspiracy theory bites the dust - courtesy of RedHat this time

Can't remember exactly where it started but, as usual, ZDNet did their usual ****stirring to whip everyone into a frenzy.

[MyWorld]

Like everything where Microsoft is involved, lets just wait and see how this plays out. If it is as RH says then good, as long as they give you the feature to disable it then I'm happy as always.

[Ockie]

I really really do not like this. Maybe the EU will rule that when you first boot up your new laptop must ask you what OS to install...Windoze or Linux Mint 13...like they did with browers lol