[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian installation issue



On 22/06/21 12:54 am, Steve McIntyre wrote:
[ Apologies, missed this last week... ]

tomas@tuxteam.de wrote:

On Mon, Jun 14, 2021 at 09:20:52AM +0300, Andrei POPESCU wrote:
On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote:
> > Secure Boot (Microsoft's attempt to stop you from using Linux) relies on
> UEFI booting, and therefore this was one of the driving forces behind it,
> but not the *only* driving force.  If your machine doesn't use Secure Boot,
> don't worry about it.  It won't affect you.

While I'm not a fan of Microsoft:

https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F

Quoting from there:

 "Microsoft act as a Certification Authority (CA) for SB, and they will
  sign programs on behalf of other trusted organisations so that their
  programs will also run."

Now two questions:

- do you know any other alternative CA besides Microsoft who is
  capable of effectively doing this? In a way that it'd "work"
  with most PC vendors?

I've been in a number of discussions about this over the last few
years, particularly when talking about adding arm64 Secure Boot and
*maybe* finding somebody else to act as CA for that. There's a few
important (but probably not well-understood) aspect ofs the CA role
here:

  * the entity providing the CA needs to be stable (changing things is
    expensive and hard)
  * they need to be trustworthy - having an existing long-term business
    relationship with the OEMs is a major feature here
  * they need to be *large* - if there is a major mistake that might
    cause a problem on a lot of machines in production, the potential
    cost liability (and lawsuits) from OEMs is *huge*

There are not many companies who would fit here. Intel and AMD are
both very interested in enhancing trust and security at this kind of
level, but have competing products and ideas, for example.

Is that something that needs to be done by one company? Perhaps because of how SecureBoot is implemented?

I'd prefer to be able to add Debian's key either in addition to or instead of Microsoft's, which could also be happily installed alongside those of Intel, AMD, your favourite government security agency or whoever. And Debian can get theirs signed by whichever of those they might think is appropriate. But I want to be able to reduce that list to just Debian's, or just the EFF's, or mine. Whatever combination I choose.

I think that should all work ok? Changing things, rather than being expensive and hard, should just be a matter of either getting a new organisation to sign Debian's key, and/or having them revoke one. As one of those on the list.

As an aside, I'd like to see this with web certificates too - I want to be able to get my cert signed by LetsEncrypt _and_ whatever commercial CA or CAs I choose, so if one of them does something stupid and needs to be removed from the list of approved CAs, it doesn't break the internet, because any significant site will have its certs signed by others as well.

Richard


Reply to: