[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: the ghost of UEFI and Micr0$0ft

On 07/06/12 16:46, Miles Bader wrote:
> Scott Ferguson <scott.ferguson.debian.user@gmail.com> writes:
>>>> You can't disable the code signing requirement on ARM.
>>> ... which is a great deal more worrying.
>> Yes. And no.
>> I'd hate to see a situation where it was impossible to buy an ARM (or
>> other CPU based board) without UEFI that can be disabled - but I support
>> devices that can be made to *only* run signed code *provided* MS is
>> *not* the certificate agency.
> Would that mean anybody who wants to build their own kernel would need
> to buy a signing key?
> -miles

For a UEFI that conforms with Windoof 8 Secure Boot on ARM?
I haven't seen a such a beast - my best guess according to the
specifications is that you'd have two choices (Buckley's and none):-
;sign your OS (boot, through kernel to module) with a key already signed
by the UEFI key
;convince a hardware manufacturer to add your key to the UEFI

For a UEFI that conforms with Windoof 8 Secure Boot on x86[*1] the only
example I'm aware of is the Sony tablet with the W8 developer preview.
It allows for you to use a key that has been signed by Microsoft (the
$99 sysdev key) and you also add your own key to the UEFI... apparently
that would *require you typing it in* (256 characters).

[*1]more about that here:-

NOTES: there are, and will continue to be devices for sale without MS
pre-installed. Anyone buying a device with MS pre-installed with the
intention of replacing it with GNU/Linux is shooting themselves in the
foot and helping perpetuate the myth that MS has a monopoly (Apple and
Google have more influence over manufacturers than MS).
We are discussing UEFI as implemented by devices bearing the W8 flag -
many devices won't have that UEFI. I visited two computer stores on the
weekend - both had MS on less that 15% of the devices for sale, 100% of
desktops, 80% of laptops, about 50% of netbooks - and sod all of the
tablets, pads, and phones. So I doubt that many UEFI for ARM devices
will be built with a MS Secure Boot UEFI.

Getting your key (not signed by the CA) into a Windoof 8 UEFI would
require the hardware manufacturer adding it (KEK) something that only
Microsoft or an OEM could swing. Unless you're offering the manufacturer
a lot of money it's unlikely they'd help you - even RedHat couldn't
swing that deal.  I suspect a hobbyist/system administrator will have
two choices with the x86 Windoof 8 UEFI:-
;pay the CA $99 for an endorsed key, use it to sign your OS and it'll
"just work"
;add your own key to the UEFI *if* your hardware allows adding one to
the UEFI (doesn't look like UEFI for ARM will have that capacity)

If you're in the business of supporting Debian then you'd pay the $99
that way the client can only run what you are contracted to support.
Would that be providing MS with sustenance? Yes - though most of that
$99 goes to Verisoft. If you're in the business of supporting a
pre-installed Debian you'd need to deal with the hardware manufacturer
to have a custom UEFI. I suspect that last option will be made available
- MS no longer have the sway with hardware manufacturers they used to...
MS hasn't had a monopoly for a while so can't negotiate from a position
of strength (Apple and Google can though).

On a positive note - I don't believe that Microsoft has drafted the
terms of the W8 UEFI to include an unsecured boot mode out of fear of
being prosecuted for monopolising the UEFI.... for W8 UEFI Secure Boot
to work everything must be signed - even the IE plugins, Fffflash,
Acrobat etc. Never going to happen - most Windoof users will want the
ability to run unsigned code, hence the unsecure boot mode. My theory is
that the MS UEFI wet dream is *only MS on W8*, not *only MS on the box*.

Kind regards

Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-

Reply to: