LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Does anyone understand Secure Boot? (http://www.linuxquestions.org/questions/slackware-14/does-anyone-understand-secure-boot-4175431737/)

AlleyTrotter 10-11-2012 03:24 PM

Does anyone understand Secure Boot?
 
Just tried to read and understand this article.
http://www.linuxfoundation.org/news-...em-open-source

What I am understanding from all this is 2 or 3 years from now my bank sends me a letter saying all online access must be thru secure boot. No problem I have the pre-boot-loader from Linux Foundation signed by MicroSoft installed on my Slackware-69.9 system. 6 months later MS decides too many people using Linux are subverting the Linux Foundation signing key and puts it on the blacklist.
Now I'm SOL I can't cash my check, pay my bills, transfer money etc. from my home computer.
Someone please tell my I'm misinterpreting this.
thanks
john

TobiSGD 10-11-2012 04:12 PM

1. Your bank can't determine if you use Secure Boot or not, it is simply a way to prevent rootkits and other similar malware.
2. Microsoft has no blacklist to prevent your system from booting. According to Microsoft's guidelines it is not allowed to implement Secure Boot in a way that keys can be altered from software on a running system, otherwise the system will not get the Windows 8 logo. It is also mandatory to implement a function that the user can add his own custom keys to the firmware, so you won't have to rely on third party keys.

AlleyTrotter 10-12-2012 06:59 AM

Quote:

Originally Posted by TobiSGD (Post 4803365)
1. Your bank can't determine if you use Secure Boot or not...
2. Microsoft has no blacklist ....

Quote:

Originally Posted by From the comments section
Posted Oct 11, 2012 15:29 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
The shim design effectively has three databases to validate against:

1) The UEFI spec database (db) - this is checked in order to conform to the spec
2) The MOK database - this is checked in order to allow users to modify their trusted keys without having to use firmware-specific UI
3) A built in database - this is baked in at build time.
...
but means that an overly lax security policy could result in blacklisting by Microsoft. We'll see if anyone decides to make that happen.

TobiSGD
Great news if you are correct, but the above comment from 'mjg59' who claims to have written most of the code says differently about 'blacklisting'. I guess I am just paranoid when in comes to MS and their tactics in the past.
[EDIT] the comment was from LWN.net[/EDIT]
[EDIT] the comments link https://lwn.net/Articles/519244/ -- 15 from the top[/EDIT]
thanks
john

TobiSGD 10-12-2012 08:18 AM

Might you share the link?

AlleyTrotter 10-12-2012 09:49 AM

Quote:

Originally Posted by TobiSGD (Post 4803870)
Might you share the link?

see my edit above
john

TobiSGD 10-12-2012 10:13 AM

Thanks.

tronayne 10-12-2012 10:45 AM

Perhaps of interest: http://www.infoworld.com/d/open-sour...karound-204699

dugan 10-12-2012 11:49 AM

Will secure boot still allow you to run /sbin/lilo whenever you want to, or will Slackware need a new boot loader?

AlleyTrotter 10-12-2012 12:09 PM

Quote:

Originally Posted by tronayne (Post 4804011)

Thanks for the pointer to article, I am reading all of them that I can find. I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?

dugan As I am reading/understanding if secure boot is enabled by default you must have a key to do anything with your hardware. Remember that the fall back (disabling secure boot) is not guaranteed to be available by the UEFI definition/implementation.

I really hope and wish I am wrong about this.
john

TobiSGD 10-12-2012 12:28 PM

Quote:

Originally Posted by AlleyTrotter (Post 4804079)
I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?

Well, just disable it. Or add your own custom keys. if you don't trust Microsoft you shouldn't be using their software and without using their software, how should they blacklist your keys?

Martinus2u 10-12-2012 02:19 PM

Quote:

Originally Posted by AlleyTrotter (Post 4804079)
I really hope and wish I am wrong about this.

me too, sigh. It is clear to me that all the reasons put forward are fake, and the strategic impetus behind UEFI and Safeboot was to control which OS is allowed to be installed on any purchaseable hardware (ie. Windows).

Since then MS had to soften a bit, and the whole affaire wouldn't be so bad if UEFI was actually better than the BIOS crap we had to live with for decades. But behold: the full truth is revealed in a very entertaining talk given by Matthew Garrett, titled "UEFI and Linux: the future is here, and it's awful".

https://www.youtube.com/watch?v=V2aq5M3Q76U

AlleyTrotter 10-12-2012 02:25 PM

Finally the words I was looking for.
 
Quote:

http://mjg59.dreamwidth.org/18149.html As I've mentioned before, our goal is to make it as easy as possible for distributions to implement whatever level of Secure Boot policy they want without having to engage with Microsoft themselves.
I can use the advantages of secure boot (UEFI) without bowing to corporate America ie. MicroSoft. This is what I was wanting to hear, that someone with the knowledge of UEFI is bringing it back to its original intention of securely booting my hardware without needing to pay another corporate tax.
Thank you Matthew Garrett
I am forever in your debt
John
[EDIT Tob I would not be using MS software only the Linux Foundation boot loader and it could still be black listed, but after reading the above mentioned article I can see others feel like I do.[/EDIT]

TobiSGD 10-12-2012 02:53 PM

Quote:

Originally Posted by AlleyTrotter (Post 4804198)
I would not be using MS software only the Linux Foundation boot loader and it could still be black listed

How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?

AlleyTrotter 10-12-2012 03:16 PM

Quote:

Originally Posted by TobiSGD (Post 4804222)
How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?

The person writing the software (Matthew Garrett) seems to think its possible.
It is no longer a concern to me since it now appears there is a way around the MS issued key being needed to boot my system in secure mode.
john

brianL 10-12-2012 05:55 PM

More from Matthew Garrett:
http://news.ycombinator.com/item?id=4643820
Quote:

Doing Secure Boot properly is hard. You need to secure a whole range of components at the code level, you need to keep signing keys secure and you need to figure out what your policy is for handling key compromise or revocation. I've been working on this almost full time for a year now, and it's completely unreasonable to expect small distributions to keep up with all of this. Fedora can afford to develop and maintain the entire stack, but Mint? Arch? Slackware? I don't run any of these them, but I think diversity is important and it'd be a disaster if all of these more niche distributions vanished simply because users aren't able to install them any more.


All times are GMT -5. The time now is 02:00 PM.