SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What I am understanding from all this is 2 or 3 years from now my bank sends me a letter saying all online access must be thru secure boot. No problem I have the pre-boot-loader from Linux Foundation signed by MicroSoft installed on my Slackware-69.9 system. 6 months later MS decides too many people using Linux are subverting the Linux Foundation signing key and puts it on the blacklist.
Now I'm SOL I can't cash my check, pay my bills, transfer money etc. from my home computer.
Someone please tell my I'm misinterpreting this.
thanks
john
1. Your bank can't determine if you use Secure Boot or not, it is simply a way to prevent rootkits and other similar malware.
2. Microsoft has no blacklist to prevent your system from booting. According to Microsoft's guidelines it is not allowed to implement Secure Boot in a way that keys can be altered from software on a running system, otherwise the system will not get the Windows 8 logo. It is also mandatory to implement a function that the user can add his own custom keys to the firmware, so you won't have to rely on third party keys.
1. Your bank can't determine if you use Secure Boot or not...
2. Microsoft has no blacklist ....
Quote:
Originally Posted by From the comments section
Posted Oct 11, 2012 15:29 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
The shim design effectively has three databases to validate against:
1) The UEFI spec database (db) - this is checked in order to conform to the spec
2) The MOK database - this is checked in order to allow users to modify their trusted keys without having to use firmware-specific UI
3) A built in database - this is baked in at build time.
...
but means that an overly lax security policy could result in blacklisting by Microsoft. We'll see if anyone decides to make that happen.
TobiSGD
Great news if you are correct, but the above comment from 'mjg59' who claims to have written most of the code says differently about 'blacklisting'. I guess I am just paranoid when in comes to MS and their tactics in the past.
[EDIT] the comment was from LWN.net[/EDIT]
[EDIT] the comments link https://lwn.net/Articles/519244/ -- 15 from the top[/EDIT]
thanks
john
Last edited by AlleyTrotter; 10-12-2012 at 09:48 AM.
Thanks for the pointer to article, I am reading all of them that I can find. I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?
dugan As I am reading/understanding if secure boot is enabled by default you must have a key to do anything with your hardware. Remember that the fall back (disabling secure boot) is not guaranteed to be available by the UEFI definition/implementation.
I really hope and wish I am wrong about this.
john
I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?
Well, just disable it. Or add your own custom keys. if you don't trust Microsoft you shouldn't be using their software and without using their software, how should they blacklist your keys?
me too, sigh. It is clear to me that all the reasons put forward are fake, and the strategic impetus behind UEFI and Safeboot was to control which OS is allowed to be installed on any purchaseable hardware (ie. Windows).
Since then MS had to soften a bit, and the whole affaire wouldn't be so bad if UEFI was actually better than the BIOS crap we had to live with for decades. But behold: the full truth is revealed in a very entertaining talk given by Matthew Garrett, titled "UEFI and Linux: the future is here, and it's awful".
http://mjg59.dreamwidth.org/18149.html As I've mentioned before, our goal is to make it as easy as possible for distributions to implement whatever level of Secure Boot policy they want without having to engage with Microsoft themselves.
I can use the advantages of secure boot (UEFI) without bowing to corporate America ie. MicroSoft. This is what I was wanting to hear, that someone with the knowledge of UEFI is bringing it back to its original intention of securely booting my hardware without needing to pay another corporate tax.
Thank you Matthew Garrett
I am forever in your debt
John
[EDIT Tob I would not be using MS software only the Linux Foundation boot loader and it could still be black listed, but after reading the above mentioned article I can see others feel like I do.[/EDIT]
Last edited by AlleyTrotter; 10-12-2012 at 02:36 PM.
I would not be using MS software only the Linux Foundation boot loader and it could still be black listed
How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?
How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?
The person writing the software (Matthew Garrett) seems to think its possible.
It is no longer a concern to me since it now appears there is a way around the MS issued key being needed to boot my system in secure mode.
john
Doing Secure Boot properly is hard. You need to secure a whole range of components at the code level, you need to keep signing keys secure and you need to figure out what your policy is for handling key compromise or revocation. I've been working on this almost full time for a year now, and it's completely unreasonable to expect small distributions to keep up with all of this. Fedora can afford to develop and maintain the entire stack, but Mint? Arch? Slackware? I don't run any of these them, but I think diversity is important and it'd be a disaster if all of these more niche distributions vanished simply because users aren't able to install them any more.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.