Fedora Pays Microsoft Boot License fee.

Lisa Kachold lisakachold at obnosis.com
Mon Jun 11 15:03:23 MST 2012


On Mon, Jun 11, 2012 at 11:44 AM, Eric Shubert <ejs at shubes.net> wrote:

> Same as other software, I'm guessing that the cert would need to be signed
> by a CA that's recognized by the UEFI software. I'm guessing that you
> wouldn't be able to modify which CAs UEFI recognizes, but if you can, than
> you could simply add your CA to the list and be good to go.
> --
> -Eric 'shubes'
>
>
> On 06/11/2012 08:19 AM, kitepilot at kitepilot.com wrote:
>
>> And why you have to 'get a certificate request signed by a CA' ?
>> I can do SSL all day long with a self-signed (or even expired)
>> certificate.
>> The only thing that the CA validates (the encryption will still be
>> there) is that you are whom you are claiming to be, but if you don't
>> care (I don't drop my credit card unless the certificate is 'validly
>> signed'), I still go ahead (as happens on some I-wonder-why SSL(ed)
>> Ubuntu support pages).
>> I may be dumb, though...
>> ET
>>
>>
>>
>> Eric Shubert writes:
>>
>>> On 06/10/2012 01:11 PM, Lisa Kachold wrote:
>>>
>>>> Microsoft responded by saying that there was no mandate from Microsoft
>>>> that prevents secure booting from being disabled in firmware or that
>>>> keys could not be updated and managed.
>>>>
>>>
>>> I think this is key to understanding the situation. Anyone can easily
>>> disable secure booting and people can do as they please, as they do
>>> presently.
>>> In order to use secure booting with an alternative OS, one simply
>>> needs to get a certificate request signed by a CA (a service which
>>> comes with a fee), much the same as certs are done for SSL. This would
>>> be one cert per OS, not per computer. I'm not certain of the details
>>> of how to do this, but this is my understanding of the process.
>>> BL, if you don't want or need secure booting, things are pretty much
>>> the same as they've always been. I doubt that most people would notice
>>> a difference between UEFI and traditional BIOS per se. The differences
>>> are largely between different vendor's implementations, as has always
>>> been the case.
>>> As Larry said earlier, much to say about nothing.
>>> --
>>> -Eric 'shubes'
>>>
>>
From:
http://www.zdnet.com/blog/open-source/linus-torvalds-on-windows-8-uefi-and-fedora/11187

Matthew Garrett, a Red Hat developer, explained why Fedora has ended up
with its Microsoft-based UEFI solution<http://mjg59.dreamwidth.org/12368.html>.
“We explored the possibility of producing a Fedora key and encouraging
hardware vendors to incorporate it, but turned it down for a couple of
reasons. First, while we had a surprisingly positive response from the
vendors, there was no realistic chance that we could get all of them to
carry it. That would mean going back to the bad old days of scouring
compatibility lists before buying hardware, and that’s fundamentally
user-hostile. Secondly, it would put Fedora in a privileged position. As
one of the larger distributions, we have more opportunity to talk to
hardware manufacturers than most distributions do. Systems with a Fedora
key would boot Fedora fine, but would they boot Mandriva? Arch? Mint?
Mepis? Adopting a distribution-specific key and encouraging hardware
companies to adopt it would have been hostile to other distributions. We
want to compete on merit, not because we have better links to OEMs.”

Fedora explored other options. “An alternative was producing some sort of
overall Linux key. It turns out that this is also difficult, since it would
mean finding an entity who was willing to take responsibility for managing
signing or key distribution. That means having the ability to keep the root
key absolutely secure and perform adequate validation of people asking for
signing. That’s expensive. Like millions of dollars expensive. It would
also take a lot of time to set up, and that’s not really time we had. And,
finally, nobody was jumping at the opportunity to volunteer. So no generic
Linux key.”

In addition, the Linux Foundation had proposed a system by “Linux and other
open operating systems will be able to take advantage of secure
boot<http://www.zdnet.com/blog/open-source/linux-foundation-proposes-to-use-uefi-to-make-pcs-secure-and-free/9827>if
it is implemented properly in the hardware. This consists of:

All platforms that enable UEFI secure boot should ship in setup mode where
the owner has control over which platform key (PK) is installed. It should
also be possible for the owner to return a system to setup mode in the
future if needed.

   - The initial bootstrap of an operating system should detect a platform
   in the setup mode,
   - Install its own key-exchange key (KEK), and install a platform key to
   enable secure boot.
   - A firmware-based mechanism should be established to allow a platform
   owner to add new key-exchange keys to a system running in secure mode so
   that dual-boot systems can be set up.
   - A firmware-based mechanism for easy booting of removable media.
   - At some future time, an operating-system- and vendor-neutral
   certificate authority should be established to issue KEKs for third-party
   hardware and software vendors.

This all makes sense, but none of it has happened. So Fedora felt, since
the next release of the distribution will be coming out at about the same
time as Windows 8, that they had to do something.

What Fedora ended up doing was using Microsoft’s secure boot key signing
services through their sysdev portal <http://sysdev.microsoft.com> for
one-off $99 fee. Why? Because, “it’s cheaper than any realistic alternative
would have been. It ensures compatibility with as wide a range of hardware
as possible and it avoids Fedora having any special privileges over other
Linux distributions. If there are better options then we haven’t found
them. So, in all probability, this is the approach we’ll take. Our first
stage bootloader will be signed with a Microsoft key.”

This has flown as well in some Linux circles as a lead balloon. “How could
you make a deal with the Devil!” “You’ve sold out!” And, for hard core
developers, “I can’t build my own Linux from your source code now without
jumping through hoops!”

Setting the anger aside, there’s something to all of this, but as Torvalds
told me, “Yes, yes, the sky is falling, and I should be running around like
a headless chicken in despair over signing keys. But as long as you can
disable the key checking in order for kernel developers to be able to do
their job, signed binaries really *can* be a (small) part of good security.
I could see myself installing a key of my own in a machine that supports
it.”

That said, Torvalds doesn’t think Microsoft’s spin on Windows 8 UEFI secure
boot is really going to do for security. “The real problem, I feel, is that
clever hackers will bypass the whole key issue either by getting a key of
their own (how many of those private keys have stayed really private again?
Oh, that’s right, pretty much none of them) or they’ll just take advantage
of security bugs in signed software to bypass it without a key at all.”

Torvalds concluded, “Signing is a tool in the tool-box, but it’s not
solving all the security problems, and while I think some people are a bit *
too* concerned about it, it’s true that it can be mis-used.”

And, in the meantime, all the Linux desktop vendors are going to have to
address the UEFI issue. By year’s end, many, if not most, mass-market PCs
are going to be sold with Windows 8 and that in turn will mean there’s no
easy way to boot them into Linux.

-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120611/55e6951b/attachment.html>


More information about the PLUG-discuss mailing list