LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 10-11-2012, 04:24 PM   #1
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.18.0) UEFI enabled
Posts: 360

Rep: Reputation: 77
Does anyone understand Secure Boot?


Just tried to read and understand this article.
http://www.linuxfoundation.org/news-...em-open-source

What I am understanding from all this is 2 or 3 years from now my bank sends me a letter saying all online access must be thru secure boot. No problem I have the pre-boot-loader from Linux Foundation signed by MicroSoft installed on my Slackware-69.9 system. 6 months later MS decides too many people using Linux are subverting the Linux Foundation signing key and puts it on the blacklist.
Now I'm SOL I can't cash my check, pay my bills, transfer money etc. from my home computer.
Someone please tell my I'm misinterpreting this.
thanks
john
 
Old 10-11-2012, 05:12 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,653
Blog Entries: 2

Rep: Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097
1. Your bank can't determine if you use Secure Boot or not, it is simply a way to prevent rootkits and other similar malware.
2. Microsoft has no blacklist to prevent your system from booting. According to Microsoft's guidelines it is not allowed to implement Secure Boot in a way that keys can be altered from software on a running system, otherwise the system will not get the Windows 8 logo. It is also mandatory to implement a function that the user can add his own custom keys to the firmware, so you won't have to rely on third party keys.
 
Old 10-12-2012, 07:59 AM   #3
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.18.0) UEFI enabled
Posts: 360

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by TobiSGD View Post
1. Your bank can't determine if you use Secure Boot or not...
2. Microsoft has no blacklist ....
Quote:
Originally Posted by From the comments section
Posted Oct 11, 2012 15:29 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
The shim design effectively has three databases to validate against:

1) The UEFI spec database (db) - this is checked in order to conform to the spec
2) The MOK database - this is checked in order to allow users to modify their trusted keys without having to use firmware-specific UI
3) A built in database - this is baked in at build time.
...
but means that an overly lax security policy could result in blacklisting by Microsoft. We'll see if anyone decides to make that happen.
TobiSGD
Great news if you are correct, but the above comment from 'mjg59' who claims to have written most of the code says differently about 'blacklisting'. I guess I am just paranoid when in comes to MS and their tactics in the past.
[EDIT] the comment was from LWN.net[/EDIT]
[EDIT] the comments link https://lwn.net/Articles/519244/ -- 15 from the top[/EDIT]
thanks
john

Last edited by AlleyTrotter; 10-12-2012 at 10:48 AM.
 
Old 10-12-2012, 09:18 AM   #4
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,653
Blog Entries: 2

Rep: Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097
Might you share the link?
 
Old 10-12-2012, 10:49 AM   #5
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.18.0) UEFI enabled
Posts: 360

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by TobiSGD View Post
Might you share the link?
see my edit above
john
 
Old 10-12-2012, 11:13 AM   #6
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,653
Blog Entries: 2

Rep: Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097
Thanks.
 
Old 10-12-2012, 11:45 AM   #7
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,122

Rep: Reputation: 819Reputation: 819Reputation: 819Reputation: 819Reputation: 819Reputation: 819Reputation: 819
Perhaps of interest: http://www.infoworld.com/d/open-sour...karound-204699
 
Old 10-12-2012, 12:49 PM   #8
dugan
Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 5,005

Rep: Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560Reputation: 1560
Will secure boot still allow you to run /sbin/lilo whenever you want to, or will Slackware need a new boot loader?
 
Old 10-12-2012, 01:09 PM   #9
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.18.0) UEFI enabled
Posts: 360

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by tronayne View Post
Thanks for the pointer to article, I am reading all of them that I can find. I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?

dugan As I am reading/understanding if secure boot is enabled by default you must have a key to do anything with your hardware. Remember that the fall back (disabling secure boot) is not guaranteed to be available by the UEFI definition/implementation.

I really hope and wish I am wrong about this.
john
 
Old 10-12-2012, 01:28 PM   #10
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,653
Blog Entries: 2

Rep: Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097
Quote:
Originally Posted by AlleyTrotter View Post
I just can't seem to get past a single corporation being allowed to control my ability to use my hardware, as I wish, if secure boot is enabled by default. Even with the Linux Foundation's key, it can still be blacklisted by that corporation. Is my system now a brick?
Well, just disable it. Or add your own custom keys. if you don't trust Microsoft you shouldn't be using their software and without using their software, how should they blacklist your keys?
 
Old 10-12-2012, 03:19 PM   #11
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 353

Rep: Reputation: 56
Quote:
Originally Posted by AlleyTrotter View Post
I really hope and wish I am wrong about this.
me too, sigh. It is clear to me that all the reasons put forward are fake, and the strategic impetus behind UEFI and Safeboot was to control which OS is allowed to be installed on any purchaseable hardware (ie. Windows).

Since then MS had to soften a bit, and the whole affaire wouldn't be so bad if UEFI was actually better than the BIOS crap we had to live with for decades. But behold: the full truth is revealed in a very entertaining talk given by Matthew Garrett, titled "UEFI and Linux: the future is here, and it's awful".

https://www.youtube.com/watch?v=V2aq5M3Q76U

Last edited by Martinus2u; 10-12-2012 at 03:28 PM. Reason: how hard can it be to spell a name right :p
 
Old 10-12-2012, 03:25 PM   #12
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.18.0) UEFI enabled
Posts: 360

Original Poster
Rep: Reputation: 77
Finally the words I was looking for.

Quote:
http://mjg59.dreamwidth.org/18149.html As I've mentioned before, our goal is to make it as easy as possible for distributions to implement whatever level of Secure Boot policy they want without having to engage with Microsoft themselves.
I can use the advantages of secure boot (UEFI) without bowing to corporate America ie. MicroSoft. This is what I was wanting to hear, that someone with the knowledge of UEFI is bringing it back to its original intention of securely booting my hardware without needing to pay another corporate tax.
Thank you Matthew Garrett
I am forever in your debt
John
[EDIT Tob I would not be using MS software only the Linux Foundation boot loader and it could still be black listed, but after reading the above mentioned article I can see others feel like I do.[/EDIT]

Last edited by AlleyTrotter; 10-12-2012 at 03:36 PM.
 
Old 10-12-2012, 03:53 PM   #13
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,653
Blog Entries: 2

Rep: Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097Reputation: 4097
Quote:
Originally Posted by AlleyTrotter View Post
I would not be using MS software only the Linux Foundation boot loader and it could still be black listed
How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?
 
Old 10-12-2012, 04:16 PM   #14
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.1 (3.18.0) UEFI enabled
Posts: 360

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by TobiSGD View Post
How should that be possible? The UEFI firmware does not connect to a blacklist server and without Microsoft software installed to add the key to the blacklist in the firmware how should it appear on that list?
The person writing the software (Matthew Garrett) seems to think its possible.
It is no longer a concern to me since it now appears there is a way around the MS issued key being needed to boot my system in secure mode.
john
 
Old 10-12-2012, 06:55 PM   #15
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,140
Blog Entries: 52

Rep: Reputation: Disabled
More from Matthew Garrett:
http://news.ycombinator.com/item?id=4643820
Quote:
Doing Secure Boot properly is hard. You need to secure a whole range of components at the code level, you need to keep signing keys secure and you need to figure out what your policy is for handling key compromise or revocation. I've been working on this almost full time for a year now, and it's completely unreasonable to expect small distributions to keep up with all of this. Fedora can afford to develop and maintain the entire stack, but Mint? Arch? Slackware? I don't run any of these them, but I think diversity is important and it'd be a disaster if all of these more niche distributions vanished simply because users aren't able to install them any more.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Working System will not boot, I do not understand the messages on the screen. flatstan Linux - Software 5 11-15-2011 12:35 PM
Don't understand, where I can find Fedora 12 boot.img?! proNick Fedora - Installation 6 03-17-2010 05:39 PM
Need help to understand /boot entries with 2 Kernels Orangutanklaus Slackware 5 08-21-2006 06:25 AM
I don't understand:Fast LILO boot floppy kocoman Linux - Software 1 06-16-2005 01:37 AM
Want some understand of boot folder Tyir Slackware 1 01-02-2004 10:25 AM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration