Re: the ghost of UEFI and Micr0$0ft
* On 2012 05 Jun 12:26 -0500, Claudius Hubig wrote:
> Hello Doug,
> Doug <email@example.com> wrote:
> > I read the referenced post. It looks to me like Fedora will boot
> > without hassle, because they paid off Microsoft, and obtained a key,
> > but everything else, not having a key, will not.
> Yes. More precisely, they want to get a small piece of software
> signed by Microsoft, so that the computer will boot this small piece
> of software. It will then continue to load a Fedora-signed Grub,
> which loads a Fedora-signed kernel, which only loads Fedora-signed
So MS has finally figured out a way to make Linux subservient to their
own ends. Nice.
> ‘Modifying the BIOS’ only includes changing settings within the BIOS,
> not flashing/upgrading the BIOS. It is comparable to changing the
> boot device or something like that.
Really? Just what guarantee is there that typical MS strong-arm
contracting will result in that option being disabled on most, if not
all, consumer devices? I'm going to guess the answer is somewhere
between slim and none and Slim has one foot on a bannana peel and the
other in the grave.
> > If you can boot anything without a
> > key, then what is different than what we have now?
> You will have to disable secure boot or add the key used to sign the
> bootloader to your computer.
Only if those options are made available by the manufacturer.
> > (I don't care about modifying the BIOS, and so far I have not heard
> > of a virus that attacks Linux, but I'm aware that it is
> > possible--just not worth anyone's trouble to write, for such a small
> > installed base.)
> The problem here is that ‘we’ want a chain of trust from the BIOS to
> the desktop, so that malware cannot infect the kernel before it
> loads. This means that the BIOS/UEFI must only load stuff that is
> deemed ‘safe’, which in turn - obviously - should only load other
> stuff that is also safe . Hence, a Linux distribution that wants to
> boot by default from such devices must get signed by a key that is
> contained within the UEFI by default - for example, Microsoft’s .
Who is 'we'? Sellouts? I neither want nor need any of this rot. Let
MS rot in its malware hell, I don't wish to be bothered by it. I trust
the Debian project and that is all the 'trust' I need.
> In any case, the key point to remember is:
> a) You can turn off secure boot completely.
Maybe, maybe not.
> b) Secure boot allows you to control more closely what software runs
> on your computer .
I control it by booting Debian. I neither want nor need anyone else's
permission to do so.
> c) By reducing the possibilities to attack Windows , you also help
> to reduce spam, DDoS attacks etc.
Again, let MS rot in its malware hell. I don't care! Perhaps if MS had
been a bit more proactive a couple of decades ago we would not be having
this discussion. MSFT issues are not for us in the Debian or wider
Linux community to resolve.
If need be, community oriented hardware based on ARM and such will
become the order of the day for general purpose computer. Consumer
hardware is being made off-limits to the hobbyist.
- Nate >>
"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."
Ham radio, Linux, bikes, and more: http://www.n0nb.us