Announcement

Collapse
No announcement yet.

Linux foundation has secure boot UEFI workaround

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Linux foundation has secure boot UEFI workaround

    I think I understand it, but if any of those much smarter than me would care to expand on "it" and whether Kubu might be involved would be appreciated:

    http://www.itwire.com/business-it-ne...or-secure-boot

    woodappreciateanycommentssmoke

    #2
    Two more articles on the same theme.

    http://arstechnica.com/information-t...oot-conundrum/

    http://liliputing.com/2012/10/linux-...ows-8-pcs.html

    A pic from second article:




    woodsmoke
    Last edited by woodsmoke; Oct 13, 2012, 10:34 PM.

    Comment


      #3
      Maybe not.
      http://blog.hansenpartnership.com/ad...-uefi-signing/

      The bar is getting higher and higher:
      The first thing you have to do is pay your $99 to Verisign (now Symantec) and get a verified by Verisign key. We did this for the Linux Foundation, and all they want to do is call head office to verify. The key comes back in a URL that installs it in your browser, but the standard Linux SSL tools can be used to extract this and create a usual PEM certificate and key. This is nothing to do with UEFI signing, but it’s used to validate to the Microsoft sysdev system that you are who you say you are. Before you can even create a sysdev account, you have to prove this by signing an executable they give you and upload it. They make strict requirements that you sign it on a specific Windows platform, but sbsign worked just as well and bingo our account is created.


      Once the account is created, you still can’t upload UEFI binaries for signature without first signing a paper contract. The agreements are pretty onerous, include a ton of excluded licences (including all GPL ones for drivers, but not bootloaders). The most onerous part is that the agreements seem to reach beyond the actual UEFI objects you sign. The Linux Foundation lawyers concluded it is mostly harmless to the LF because we don’t ship any products, but it could be nasty for other companies. According to Matthew Garrett, Microsoft is willing to negotiate special agreements with distributions to mitigate some of these problems.


      Once the agreements are signed then the real technical fun begins. You don’t just upload a UEFI binary and have it signed. First of all you have to wrap the binary in a Microsoft Cabinet file. Fortunately, there is one open source project that can create cabinet files called lcab. Next you have to sign the cabinet file with your Verisign key. Again, there is one open source project that can do this: osslsigncode. For anyone else needing these tools, they’re now available in my openSUSE Build Service UEFI repository. The final problem is that the file upload requires silverlight. Unfortunately, moonlight doesn’t seem to cut it and even with the version 4 preview, the upload box shows up blank, so time to fire up windows 7 under kvm. When you get to this stage, you also have to certify that the binary “to be signed must not be licensed under GPLv3 or similar open source licenses”. I assume the fear here is key disclosure but it’s not at all clear (or indeed what “similar open source licences” actually are).
      So, Microsoft, which isn't a PC OEM (except for "Surface"), doesn't own any of the PC OEMs in the legal sense, still dictates what hardware they can run and demands a Microsoft tax from EVERYONE ELSE to run non-MS software on the PC OEM boxes.

      This stinks of monopoly so bad the odor pours off of my keyboard. If nothing else it points out how our elected "representatives", and the judicial and executive branches, have sold out on their Constitutional responsibilities for personal gain.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Wow, Microsoft really really really really want you to use windows on uefi systems and make it as hard as possible for anyone that doesn't use it to get a binary signed - http://www.zdnet.com/linux-foundatio...ed-7000007841/

        Comment


          #5
          Jerry, now this report worries me -- a lot, actually. There are easier ways to reach the end goal; Microsoft appears to be erecting unnecessary barriers. Silverlight? What a joke.

          Fundamentally, this all comes down to "Windows 8 certification." Question: who cares about this? How many enterprise buyers incorporate logo requirements into their RFPs? How many consumers look for the logo at BestWallBuyMart before forking over their credit cards?

          I would wager the answer to both these questions is zero. So maybe the actual value of "Windows 8 certification" is vanishingly small. But yet, it's the thing Microsoft holds up as being the primary requirement for Secure Boot. Well, guess what -- I sense a weak target, a target that's possibly worth considering eliminating.

          Rather than arguing over technical interpretations, the Linux Foundation (and all interested distros) should immediately begin a campaign to malign and impugn this silly certification. If in fact no one actually cares, and if in fact Microsoft uses it as a weapon, well then it's certainly deserving of something like a Swift Boat treatment, no? Let's actually target the root of all this evil and take it out! Once people realize that certification actually imposes negative value, maybe the hue and cry from the wilderness will finally be heard.

          Comment


            #6
            Originally posted by SteveRiley View Post
            Rather than arguing over technical interpretations, the Linux Foundation (and all interested distros) should immediately begin a campaign to malign and impugn this silly certification. If in fact no one actually cares, and if in fact Microsoft uses it as a weapon, well then it's certainly deserving of something like a Swift Boat treatment, no? Let's actually target the root of all this evil and take it out! Once people realize that certification actually imposes negative value, maybe the hue and cry from the wilderness will finally be heard.
            As a UDS member, Kubuntu Member, and KDE Supporting Member, as well as your security background credentials with Microsoft, you are in a unique position to be part of the standard bearers to bring this to the forefront, yes?
            Windows no longer obstructs my view.
            Using Kubuntu Linux since March 23, 2007.
            "It is a capital mistake to theorize before one has data." - Sherlock Holmes

            Comment


              #7
              Throw all that at me, will ya? Actually, the paragraph you quoted is a summary of a strategy I've been considering for a while. I'm still sorting through a few implementation details, and then it'll be time to figure out how to marshal the right resources.

              Comment


                #8
                Seems like they are pushing OpenSource projects towards the mini device market more and more. Which is already dominated by FOS. But wasn't that the place Win8 wanted to grow and dominate? Truly mind boggling. I feel like I'm missing something important in this picture. What can it be?

                Comment

                Working...
                X