AMIBIOS Source Code and AMI's UEFI Signing Key Leaked
GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slackware 14.1 64-bit, Ubuntu 15.10, Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 173
Rep:
Another good reason why open source and the GPL should be advocated
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.
While things like this should never happen, do keep in mind that those keys were never meant for end users (they're meant to be replaced by vendors).
Quote:
Another good reason why open source and the GPL should be advocated
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.
Those keys have nothing to do with either "security through obscurity" or OSS/GPL (ignoring the almost funny silverlight upload tool).
Distribution: Slackware 14.1 64-bit, Ubuntu 15.10, Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 173
Rep:
When 1 hardware key is hard-coded into the firmware, my opinion is that it is security through obscurity. You just need 1 key to defeat the whole house of cards. Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference
Also, proprietary source code is available for purchase on the darker sites of the intarwebz.
When 1 hardware key is hard-coded into the firmware,
It's revocable.
OEMs can add/change as many keys as they like ...
Quote:
Originally Posted by Sigg3.net
my opinion is that it is security through obscurity.
Even if it would rely on just one key (it doesn't), where's the obscurity?
Quote:
Originally Posted by Sigg3.net
You just need 1 key to defeat the whole house of cards.
That's not true.
They're both revocable and expandable.
You can add a different key for every driver and change/blacklist them later.
Quote:
Originally Posted by Sigg3.net
Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference
I still don't see the similarity.
Do you consider keeping your ssh and gpg keys private as anti-FOSS/GPL as well ... ?
PS: I think you're confusing Secure Boot with the bigger Restricted Boot problem.
Sorry, I thought the hard-coded keys could not be changed. My bad
Main reason why all default keys have a Microsoft tag is rather obvious:
They're the only ones providing/selling them (it would be nice and less confusing if this changed, everyone is allowed to do so).
That said, I dislike its current implementation as much as anyone else
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.