Re: the ghost of UEFI and Micr0$0ft

To: debian-user@lists.debian.org
Subject: Re: the ghost of UEFI and Micr0$0ft
From: Jon Dowland <jmtd@debian.org>
Date: Wed, 6 Jun 2012 15:50:14 +0100
Message-id: <[🔎] 20120606145014.GD22416@debian>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 4FCF6BCD.9050001@lboro.ac.uk>
References: <[🔎] 20120605180127.GJ6442@n0nb.us> <[🔎] CAOEVnYss7mXb_jNzh+nYyGAQAXsthdziwP18_+Q8F_jiSYu_Gw@mail.gmail.com> <[🔎] 20120606033536.GK4462@n0nb.us> <[🔎] 4FCEDA0B.8050601@gmail.com> <[🔎] CAOdo=SwSzVmtasgxYwmYhqAEmCWeeyV_Ew_4tG8S7rCq3zkjWg@mail.gmail.com> <[🔎] 4FCF2BB8.9070909@gmail.com> <[🔎] CAOdo=SyALgri4pLTfNivZhDR+LKDPo0jrhnjvwxzq+DtM=KmVg@mail.gmail.com> <[🔎] 4FCF4557.600@gmail.com> <[🔎] 20120606135619.GB22416@debian> <[🔎] 4FCF6BCD.9050001@lboro.ac.uk>

On Wed, Jun 06, 2012 at 03:40:13PM +0100, Laurence Hurst wrote:
> I can see this turning into a support nightmare for Fedora when,
> inevitably, some hardware or firmware comes along which (at least as
> an interim measure until "official" fixes are released) requires the
> use of a newer kernel and/or module, or a patch/rebuild of an
> existing one.
> 
> I wonder how they will cope with the likes of nvidia/ati/intel who
> release their own kernel modules and installers outside of the
> distribution ecosystem, which will presumably be unsigned and a lot
> of people seem to use for the [potential/perceived] performance
> benefits.

In both cases, probably "disable secure boot".

> I doubt there will be an easy way to disable the secure boot BIOS
> setting on the users' behalf, even from a signed boot loader, as
> that would just lead to malware finding a way to silently disable it
> to get around it.

Said malware would need to have direct BIOS access and thus be executed
from a 'trusted' environment. 'Trusted' environments should disable
direct hardware access except for signed components.  The question is
whether having a program which *intended* to do it for you could be
signed and whether this would pass whatever requirements you are accepting
when you hand over the 99$.

-- 
Jon Dowland

Reply to:

References:
- Re: the ghost of UEFI and Micr0$0ft
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: the ghost of UEFI and Micr0$0ft
  - From: "Christofer C. Bell" <christofer.c.bell@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Tom H <tomh0665@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Tom H <tomh0665@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Jon Dowland <jmtd@debian.org>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Laurence Hurst <L.A.Hurst@lboro.ac.uk>

Prev by Date: Re: [OT] Re: the ghost of UEFI and Micr0$0ft
Next by Date: Re: [OT] Re: the ghost of UEFI and Micr0$0ft
Previous by thread: Re: the ghost of UEFI and Micr0$0ft
Next by thread: Re: the ghost of UEFI and Micr0$0ft
Index(es):
- Date
- Thread