• To run on UEFI-secured machines, the next version of Fedora will use a digital key from Microsoft.
    55 replies, posted
[QUOTE=neos300;36197945]Problem is MS is pushing UEFI so that's going to be hard. IIRC Windows 8 requires UEFI[/QUOTE] I have regular BIOSes in my computers, and both run Windows 8 just fine. I wonder if it will be a tablet/ARM only type thing.
Even if it would only be Tablet/ARM only, UEFI is already, and will be an absolutely senseless shitfest.
are you all stupid you can turn secure boot off in x86. in fact, Microsoft requires that the BIOS has the ability to turn it off on x86 systems. [editline]5th June 2012[/editline] also the article is wrong, the money goes to verisign, not microsoft. [editline]5th June 2012[/editline] [url]http://mjg59.dreamwidth.org/12368.html[/url] [quote]The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want[/quote]
We have been seriously misinformed then. All hail Lazor for telling the truth.
Microsoft requires that all UEFI x86 systems have the ability to turn off Secure Boot. [editline]5th June 2012[/editline] Lol, I didn't make it to the bottom of the thread to see Lazor's post. [editline]5th June 2012[/editline] I was reading an article on Ars the other day about this: [URL]http://arstechnica.com/information-technology/2012/06/fedora-could-seek-microsoft-code-signing-to-contend-with-secure-boot/[/URL] I thought this part was hilarious: [quote] In order for the technical advantages of the secure boot mechanism to be fully realized, however, all of the code in the platform that has direct interaction with hardware has to be trustworthy, too. A malicious party could theoretically use the Linux kernel’s low-level hardware access to compromise a Windows installation on the same computer or tamper with the firmware. If that is possible on a Fedora system with a signed bootloader, then Fedora’s signing privileges would be revoked and the operating system would no longer be able to run in a secure boot environment. To prevent such a scenario from occurring, Fedora will set up its own signing system that will be applied to the kernel and other security-sensitive layers of the stack below the Microsoft-signed bootloader initialization layer. [/quote] Ironic. Microsoft should revoke themselves.
[QUOTE=Foxconn;36214043]We have been seriously misinformed then. All hail Lazor for telling the truth.[/QUOTE] It's still bullshit after his corrections, maybe that's just me. (I already knew the things Lazor said)
I agree with gparent, regardless of having the ability to turn this off, it shouldn't even exist in the first place. Also, opt-out is bad.
I really can't think of what regular computer users gain from secure boot, besides losing the ability to do things with their computer.
[QUOTE=Jookia;36234075]I really can't think of what regular computer users gain from secure boot, besides losing the ability to do things with their computer.[/QUOTE] That's all.
Yeah I don't think there have been any legit viruses that screwed around with the bootloader.
[QUOTE=T3hGamerDK;36233805]I agree with gparent, regardless of having the ability to turn this off, it shouldn't even exist in the first place.[/QUOTE] Then you don't agree with me. I agree with the whole concept of Secure Boot, it's definitely needed. I disagree with Microsoft's business decisions on how to handle the technology. They should not treat ARM as a special case because of the tablet market. They should not be doing things that make Linux distro developers buy keys off people no matter who they are. It reminds me of the OOXML deal where they fucked things up and played dirty. I don't even want to write more about it. Fuck them. [QUOTE=Jookia;36234075]I really can't think of what regular computer users gain from secure boot, besides losing the ability to do things with their computer.[/QUOTE] The point is to create a chain of trust from the bootloader to the OS. So if you get a rootkit that starts overwriting your BIOS, well it won't be able to because that rootkit would have to sign its dirty code. Thing is, in the certification documents for Windows 8, there is (or used to be) this paragraph: [quote][I]MANDATORY: [B]Enable/Disable Secure Boot[/B]. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of Pkpriv. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure MUST NOT be possible on ARM systems.[/quote] [/I]So basically to certify your tablet for Windows 8, you have to make it impossible to disable secure boot. If a tablet manufacturer wants to lock you out[1], they just remove the interface required to insert new signing keys. [1]: to be precise: if Microsoft wants to sign a less-than-legal contract with a manufacturer to lock other OSes out, because let's face it any manufacturer benefits from having additional OSes, it's only MS who benefits from customers having LESS choice
[QUOTE=gparent;36242757] The point is to create a chain of trust from the bootloader to the OS. So if you get a rootkit that starts overwriting your BIOS, well it won't be able to because that rootkit would have to sign its dirty code. [/QUOTE] Since the whole Flame thing just happened with it jacking the certificate for Windows Update, I wonder how long it will take for their Secure Boot certificate to get jacked too.
[QUOTE=PvtCupcakes;36242822]Since the whole Flame thing just happened with it jacking the certificate for Windows Update, I wonder how long it will take for their Secure Boot certificate to get jacked too.[/QUOTE] I'm not saying it's infallible, but it can be much harder to break than a Terminal Services related chain of trust. Pub/private key pairs are basically unbreakable if you never reveal the key. You'd need to attack the hardware itself.
I'm hoping that Microsoft gets taken to court over some of this nonsense. They had this bright period from 2007-2009 and now it seems like they're going back to the 90's.
Wait, you CAN'T disable it on ARM? Why not? What's so special about ARM?
[QUOTE=Jookia;36243353]Wait, you CAN'T disable it on ARM? Why not? What's so special about ARM?[/QUOTE] Microsoft is using "security" as an excuse to block other operating systems from running on their tablets. Which honestly I don't see why, even if people bought a Windows tablet to install Linux/*nix in a dual boot or something, they still get the same amount of money.
It may be my Microsoft hate, but does anybody else kind of see this as Microsoft monopolizing ARM?
[QUOTE=Jookia;36243496]It may be my Microsoft hate, but does anybody else kind of see this as Microsoft monopolizing ARM?[/QUOTE] OEMs could still make ARM tablets that don't have Windows on it.
[QUOTE=Panda X;36243531]OEMs could still make ARM tablets that don't have Windows on it.[/QUOTE] Well they could, but nobody would really buy it if they couldn't use fancy Windows and sync it with their desktop easily and phone and all these convenient things.
[QUOTE=PvtCupcakes;36241678]Yeah I don't think there have been any legit viruses that screwed around with the bootloader.[/QUOTE] [url=http://en.wikipedia.org/wiki/CIH_(computer_virus)]CIH does[/url] (it also overwrites the BIOS)
[B]In related news...[/B] [url]http://lxer.com/module/newswire/view/168183/[/url]
Ahahaha? Oh, that's serious. BAHAHAHAHAHA. If you actually read Tim Burke's announcement, you can see that they've managed to work with the secure boot peoples to allow Linux to be on the desktop, because let's face it- OEMs aren't going to drop Windows 8 support.
[QUOTE=Jookia;36243496]It may be my Microsoft hate, but does anybody else kind of see this as Microsoft monopolizing ARM?[/QUOTE] Well they currently have maybe 2% marketshare on ARM, so not really. I seriously doubt Windows 8 will change that.
Its funny because if Fedora fucks up the signing stuff in their stage-one signed bootloader theres a large chance to make Secure Boot completely useless because you could just install a Fedora bootloader and coax it into running bad code and then load a modified unsigned windows bootloader into memory
[QUOTE=Tobba;36258830]Its funny because if Fedora fucks up the signing stuff in their stage-one signed bootloader theres a large chance to make Secure Boot completely useless because you could just install a Fedora bootloader and coax it into running bad code and then load a modified unsigned windows bootloader into memory[/QUOTE] Chainloading, essentially.
[QUOTE=Jookia;36234075]I really can't think of what regular computer users gain from secure boot, besides losing the ability to do things with their computer.[/QUOTE] Same story with overclock bin multiplier locking though.
Sorry, you need to Log In to post a reply to this thread.