[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Re: the ghost of UEFI and Micr0$0ft

On Tue, Jun 5, 2012 at 1:39 PM, Camaleón <noelamac@gmail.com> wrote:
> On Tue, 05 Jun 2012 13:11:19 -0400, Tom H wrote:
>> On Tue, Jun 5, 2012 at 9:49 AM, Camaleón <noelamac@gmail.com> wrote:
>>> On Tue, 05 Jun 2012 12:52:22 +0530, Harshad Joshi wrote:

>>>> i was reading this article - http://mjg59.dreamwidth.org/12368.html
>>>> It is written by someone related to redhat and it describes
>>>> implementing UEFI secure boot in Fedora Core.
>>> Ah, yes. I read about it recently in some Spanish tech magazine...
>>> IMO, Fedora did *the wrong thing* (since when blindly following what
>>> Microsoft -or any other company- does is the correct way to achieve a
>>> milestone?) in *the wrong way* (by not counting with the whole open
>>> source community support, or at least the other linux distributions,
>>> before taking such a decision).
>>> Of course, they're not committed to give explanations on what they do
>>> nor how they do, but neither makes a favor to the FLOSS community :-/
>> It's easy to criticize Fedora but what would you have liked them to do?
>> They published a white paper [1] with Ubuntu last October in response to
>> Microsoft's Secure Boot plans. Where were the other distributions
>> pre-the-white-paper? Where were the other distributions
>> post-the-white-paper? Was there an official statement from Debian, even
>> post-the-white-paper, to the effect that "this is a bad development,
>> we're going to work with Red Hat and Canonical to fight it"?
>> 1.
>> http://blog.canonical.com/2011/10/28/white-paper-secure-boot-impact-on-linux/
> That white paper points to Canonical and Redhat companies.
> I wonder if they tried to contact the other community linux members and
> distributions or even thought about another way of handling this through
> The Linux Foundation, for instance.

Maybe Red Hat and Canonical contacted others, maybe they didn't. These
are the two Linux companies that are the least likely to cooperate so
I'd have to guess (but it's only a guess!) that others were contacted.

But, if a distribution didn't react post-the-white-paper either on its
own or in cooperation with Fedora and/or Ubuntu, then it has no right
to complain now.

This is the position of the Linux Foundation [2] and this is the
paper's conclusion:

"The UEFI secure boot facility is designed to be readily usable by both
proprietary and open operating systems to improve the security of the
bootstrap process. Some observers have expressed concerns that secure
boot could be used to exclude open systems from the market, but, as we
have shown above, there is no need for things to be that way. If vendors
ship their systems in the setup mode and provide a means to add new KEKs
to the firmware, those systems will fully support open operating
systems while maintaining compliance with the Windows 8 logo
requirements. The establishment of an independent certificate authority
for the creation of KEKs would make interoperation easier, but is not
necessary for these platforms to support open systems."

It's dated October 2011 but it doesn't seem to have a problem with
what Fedora's done. It even calls the "establishment of an independent
certificate authority" unnecessary.

2. https://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf

>> The other distributions only have themselves to blame if Fedora's ended
>> up going its own way. I wonder what happened to Ubuntu
>> post-the-white-paper; it's even more bizarre than the other
>> distributions not making any kind of statement or seemingly not getting
>> involved in fighting for Linux, given that like Fedora, Ubuntu has a new
>> release in October/November that'll have take Secure Boot into account.
>> Also, I suspect that had Debian's participation been raised on
>> debian-devel, the flame war would have ended after F18 and U12.10 had
>> been published (witness the never-ending "discussions" on replacing
>> sysvinit that have been going on, intermittently, since last summer).
> Maybe is that they were not properly queried for comments. And remember
> Debian has not a time-based schedule for their releases so why should we
> worry about the other's hurries to be more Windows-friendly?

Debian can live in a bubble by saying that it doesn't have a
time-based schedule but the hardware manufacturers have a schedule,
that of Microsoft's release of Win8. So a solution has to be planned
and implemented before Win8 and Secure Boot boxes hit the market for
those distributions that choose to give their users the choice to use
Secure Boot. Debian might choose to tell its users "disable Secure
Boot" as the second poster in this thread said, but we don't know what
its choice is or what it's going to be.

I suspect that at some point in the future not only will Secure Boot
be extended to servers but it'll be a criterion to fulfill in order to
pass a security audit. If a distribution doesn't get involved at the
inception of the rules, it'll just have to live by the specs that have
been developed and agreed to by others.

>> For those of us who want to dual-, triple-, ...-boot Windows, want to
>> boot from a Live CD, want to compile their own kernels, want to use
>> kernel modules not included in their distribution (assuming that the
>> distribution can boot using Secure Boot), ..., we have to thank Fedora
>> for working to change the spec to allow Linux to boot using Secure boot.
> You can send them a gift ;-)

I won't send them a gift but if Fedora's the only distribution to
support Secure Boot, then it's the only one that I'll recommend to
friends (independently from installing and providing support for
Debian servers at some of my jobs) because I don't want to have to
tell them "to install Linux or even test Linux from a CD without
installing it, I'll have to turn off 'Secure Boot' on your computer";
they'll most likely say "no" anyway after hearing that.

>> It's horrible that we'll have to go through Microsoft to boot Linux
>> using Secure Boot but it leveraged its dominance and power to suit
>> itself (at least in the desktop field, because in the server field,
>> where Linux has a far more substantial presence, there's no such
>> requirement, AFAIU). Looking at it objectively, Microsoft has
>> manoeuvered skillfully. It would've liked to lock down x86 in the same
>> way that it locked down ARM but knew that it would open itself to legal
>> problems so it compromised.
> We don't have to hold for those "horrible" things anymore. We need to
> develop our own way. If we remain at the commands of MS we will be doing
> it wrong.

"We need to develop our own way" is a nice theoretical statement but
do you have a practical, implementable solution? If Debian were to
have its own key (or if it were a member of a group of multiple
distributions with their own shared key), it would have go
manufacturer to manufacturer to have that key used in firmware and
then have a hardware compatibility list. If anything, Fedora's spared
us and itself this headache by leveraging Microsoft's power - with the
downside that it's Microsoft that's signing the shim, stage one

>> Lastly, Fedora's position isn't set in stone - at least not officially-
>> because FESCO has yet to sign off on the Garrett/Jones plan (although
>> it's a fair bet that it'll be approved). Its biggest strength is that
>> those who are opposed to Secure Boot can simply turn it off!
> I hope they think deeply about this decision but I'm afraid they'll not.

Think deeply it will (and probably already has), but "think deeply"
doesn't mean what you seem to think that it means - agree with you!
FESCO can think deeply and decide that the signed-shim plan is in the
best interests of its users.

Reply to: