Re: the ghost of UEFI and Micr0$0ft

To: debian-user@lists.debian.org
Subject: Re: the ghost of UEFI and Micr0$0ft
From: Roger Leigh <rleigh@codelibre.net>
Date: Fri, 8 Jun 2012 11:44:32 +0100
Message-id: <[🔎] 20120608104432.GV15644@codelibre.net>
In-reply-to: <[🔎] CAOEVnYtS_aVJVS-2bkAkA5aACBLnaT4Cp0M_Ax9Y3C2JNmnyfQ@mail.gmail.com>
References: <[🔎] 4FCE2D01.1090906@optonline.net> <[🔎] 20120605182626.7f21d335@ares.home.chubig.net> <[🔎] 4FCE3B09.50104@optonline.net> <[🔎] 20120605191855.3d0611ad@ares.home.chubig.net> <[🔎] 20120605180127.GJ6442@n0nb.us> <[🔎] CAOEVnYss7mXb_jNzh+nYyGAQAXsthdziwP18_+Q8F_jiSYu_Gw@mail.gmail.com> <[🔎] 87sje9ulsb.fsf@catnip.gol.com> <[🔎] 4FCEE02E.30007@gmail.com> <[🔎] 878vfzty92.fsf@catnip.gol.com> <[🔎] CAOEVnYtS_aVJVS-2bkAkA5aACBLnaT4Cp0M_Ax9Y3C2JNmnyfQ@mail.gmail.com>

On Thu, Jun 07, 2012 at 09:33:45PM -0500, Christofer C. Bell wrote:
> On Thu, Jun 7, 2012 at 1:46 AM, Miles Bader <miles@gnu.org> wrote:
> > Scott Ferguson <scott.ferguson.debian.user@gmail.com> writes:
> >>>> You can't disable the code signing requirement on ARM.
> >>>
> >>> ... which is a great deal more worrying.
> >>
> >> Yes. And no.
> >> I'd hate to see a situation where it was impossible to buy an ARM (or
> >> other CPU based board) without UEFI that can be disabled - but I support
> >> devices that can be made to *only* run signed code *provided* MS is
> >> *not* the certificate agency.
> >
> > Would that mean anybody who wants to build their own kernel would need
> > to buy a signing key?
> 
> Not at all.  You can generate your own key and load it into your UEFI.

This is of course a major part of the problem.  There are no
guarantees that you will be able to install your own keys into
your device.  That's up to the UEFI implementor.

>  It's no different a situation than using self-signed ssl certs
> without buying one from a certificate authority.  There's no need to
> pay any money to anyone to use the secure boot feature.  Is it a
> hassle?  Sure, but you're not beholden to any 3rd party regardless.

If you have the ability to install your public cert, then sure.
But how many implementors will choose to provide only Microsoft's
key, and provide no facility for changing it?  For ARM systems
running Windows 8, I suspect that will be most of them.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

Reply to:

References:
- Re: the ghost of UEFI and Micr0$0ft
  - From: Doug <dmcgarrett@optonline.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Doug <dmcgarrett@optonline.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: the ghost of UEFI and Micr0$0ft
  - From: "Christofer C. Bell" <christofer.c.bell@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Miles Bader <miles@gnu.org>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: the ghost of UEFI and Micr0$0ft
  - From: Miles Bader <miles@gnu.org>
- Re: the ghost of UEFI and Micr0$0ft
  - From: "Christofer C. Bell" <christofer.c.bell@gmail.com>

Prev by Date: Re: asm/ioctls.h in kernel headers
Next by Date: Re: asm/ioctls.h in kernel headers
Previous by thread: Re: the ghost of UEFI and Micr0$0ft
Next by thread: Re: the ghost of UEFI and Micr0$0ft
Index(es):
- Date
- Thread