Fedora Linux Support Community & Resources Center
  #31  
Old 3rd June 2012, 12:58 AM
x616e Offline
Registered User
 
Join Date: Jun 2012
Location: UK
Posts: 2
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Is there a vote on this anywhere?

I for one will not accept any system, regardless of if I wanted to use Fedora or not, have keys owned by a third party. That is like giving that third party an ultimate override for your system. The point about a secure system is that it is secure against everyone. There is nothing stopping Microsoft doing deals with advertisers, governments, etc. allowing them to install spyware/malware on your system. If for example you are a government in a non USA country using these systems, a key owned by Microsoft (a USA company) is unacceptable, you cannot trust that. Even a key owned or signed through by a USA company (Verisgn) for a USA company (Red Hat) is unacceptable. Fedora and hardware should remain impartial to geographical region.

If Fedora is going to do this rather than push to sort out the secure boot specification and get it fixed then sorry but I am not using Fedora anymore. Fedora should be pushing so that the person who owns the hardware owns and controls the keys, and also it ships disabled. Or if you must boots into "please enter password to take ownership mode" (if this is too uncool or "complicated" for users then tough, some people actually have real work to get on with on these systems using Linux). By supporting this Fedora are effectively supporting the coming of heavy Digital Restrictions Management, and proprietary technology which will come in the future. This will lead Fedora down a path which requires it to ship proprietary/patented technology. My specialization is security, and secure boot is essential to prevent malware and security threats, but the person who sets this up and signs the os is the person who owns the platform (me). I do not want to have to disable secure boot, or have to pay $99 to some USA company every time I recompile a kernel. This is almost like shiping Linux without a root account or sudo access.... it's useless.

I will move to another distribution that supports open software and systems. I am sure people in many other countries who are not so chummy with the USA will also follow suit.


Sorry if this post is a little incoherent, I am actually finding it hard to concentrate/breathe with all of this UEFI/Secure Boot stuff. This actually scares me, especially what it will mean in 5 years time.

---------- Post added at 10:58 PM ---------- Previous post was at 10:51 PM ----------

I would also find it unacceptable to have a Fedora key or even a Linux key on my system. What happens if I wanted to use FreeBSD or compile my own kernel, and have secure boot enabled? The point is I should be the one who does the signing and owns the keys from day one. No third party, has control over my system. We all know keys can leak, and we all rember what happened to kernel.org . The current implementation of Secure Boot as Microsoft and Manufacturers want it is broken, it should ship disabled and the user should take ownership and decide to enable it, end of story.

Quote:
Originally Posted by RupertPupkin View Post
From the discussion on slashdot it seems like a lot of nonsense is being spread about this by people who hate Red Hat (mostly users of other distros who for some reason don't like how successful Red Hat has been) and have trouble with reading comprehension. This is a one-time $99 fee (yes, 99 whole dollars!) that is just a convenience for inexperienced users who don't want to (or, more likely, incapable of figuring out how to) go into the UEFI setup and disable Secure Boot (or enroll their own keys). That's right, $99 paid exactly once by Red Hat, not by anyone else or by any users.

Red Hat's Matthew Garrett explains it in this article:


As Garrett says, this solution is not ideal but was the "least worst" one, and I agree. For both newbies and companies it will lower the "barrier for entry" to Fedora. For experienced users it won't even be an issue, as they will know how to disable Secure Boot in the UEFI setup so they can install whatever distro or OS they want. All for the measly one-time price of $99 (as someone on slashdot said, that $99 is less than it would cost Red Hat to even discuss the issue for 15 minutes with their attorneys ).

People should read that article before jumping to conclusions. As someone on slashdot said, there's a tendency for FUD to be spread by "people who don't have the foggiest idea of what's going on but see 'M$' and instantly go full retard." To that I would add that there is a segment of Linux users who go "full retard" over anything Red Hat does involving money (OMG, $99 to M$!, I'm boycotting Red Hat! ).
Reply With Quote
  #32  
Old 3rd June 2012, 01:23 AM
deanej Offline
Registered User
 
Join Date: Nov 2011
Posts: 229
linuxchrome
Re: Fedora 18 to support UEFI Secure Boot

I bet a million dollars that secure boot will do nothing against malware. Just look at Microsoft's kernel protection on x64 systems; it's so easy to get around that it might as well not be there; in fact, it's purpose is not to secure the kernel against malware, but to restrict developers (to be fair, someone really did need to get the likes of Symantec out of the kernel). This is the exact same thing. Why should we expect MS to be any different now?

This is why it should be illegal to name something where the name would be misleading. This should not be called secure boot, because security has nothing to do with it. It should be called restricted boot. If it were called that, nobody would support it, and the name would by infinitely more accurate than it is now.

As far as I'm concerned, if a user does not want to be educated, they should not be allowed to use a computer. Stuff always gets ruined when they get adapted for use by normal consumers.

The moment you accept something as an inevitability, you lose. If we all acted like Richard Stallman, all of this stuff would never have even been proposed. We should be marching on these companies DEMANDING change. In fact, we should be demanding more than change; we should be demanding the immediate destruction of all companies that support stuff like this. I'm talking throwing executives in jail and liquidation of all assets, and a reprimand for all employees who didn't fight stuff like this.

Until we take radical measures to fight for our freedom, we will lose. I fully expect to see the future unfold exactly as in Richard Stallman's "Right to Read" unless we change course, and that won't happen if we don't demand change. Would we accept a world controlled by sociopaths? No. Why do we accept one controlled by corporations then? Corporations are the ultimate sociopaths, in fact they're incapable of being anything else!
Reply With Quote
  #33  
Old 3rd June 2012, 02:13 AM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,878
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

How will this affect the "Fedora Spins" where the spin contains alternate configurations used for the kernel? Will each have to be signed?... and who pays for that?

If this continues into RH releases, what about the CentOS/SL releases?
Reply With Quote
  #34  
Old 3rd June 2012, 04:19 AM
sonoran Offline
Registered User
 
Join Date: May 2005
Location: Sonoran Desert
Posts: 2,412
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

There were discussions on the Fedora devel and users mailing lists last week:
http://lists.fedoraproject.org/piper...ne/167732.html
http://lists.fedoraproject.org/piper...ne/418990.html

No decision has been made yet, and those who will make the decision are open to other ideas.

What joncr said here is echoed on the mail list by Alan Cox:
Quote:
I've spent over ten years watching this particular game through things
like Palladium and other regulatory arsekicking along the way. The next
step being worked through standards bodies involves application layer
lockdown and extending lockdown to the web (things like making trusted
hardware in the system sign a certificate to prove the web server is
talking to a locked down device) - so as to shut out things like unwanted
copying by end users.
Reply With Quote
  #35  
Old 3rd June 2012, 12:46 PM
joncr Offline
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,272
macossafari
Re: Fedora 18 to support UEFI Secure Boot

Many people reacting to all this want people to take to the streets and deploy teams of lawyers to start lawsuits. All that assumes the free software community is large enough and coherent enough to successfully bring enough pressure to bear to change the course of secure boot.

But, the free software community is not coherent. It is fragmented, with multiple players going in their own directions, forking code and forking licenses, behavior that appears from the outside as nothing less than petty religious schisms.

From a practical, PR, angle, how would we keep the public from equating free software's goals re: secure boot with those of criminals who want to break into their online bank accounts?

In addition, what remedy would legal action seek? Stop UEFI secure boot altogether? Block the release of Windows 8? On what basis? Microsoft says secure boot can easily be disabled. Much of the community appears to agree because this and other threads are full of assertions that Red Hat is wrong when it argues that disabling secure boot is too complex for mainstreams users to attempt. Microsoft would be certain to argue that the disabling option is proof that secure boot is not an anti-trust violation.

How would we prevent the public from perceiving legal action as an attack on their security?

(I don't know if disabling UEFI secure boot will be easy. I do know that it could be easy if the boot process is designed to make it easy, instead of burying it three levels deep in technobabble BIOS menus.)

Windows 8 is nearing release. Legal action to block secure boot would take years to come to a final resolution. What course do we take in the meantime? What are the chances that distribution of secure boot- ready hardware can be blocked while legal action winds its way through the appellate courts?

More to the point, plans for UEFI secure boot were not unveiled with Matthew Garrett's posting. They've been public knowledge for a long time. To be blunt, where has the community been?

Perhaps the legal situation in Europe and elsewhere is different.


The public's perception of online security threats has been shaped almost entirely by its experience with Windows. I believe there is no possibility that they will see secure boot as anything other than a good thing. It will be invisible to almost all of them, as well.
Reply With Quote
  #36  
Old 3rd June 2012, 01:10 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,878
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

The most desirable thing is to have the ability to add your own certificates so that your own kernel can be used on your own system.
Reply With Quote
  #37  
Old 3rd June 2012, 04:00 PM
x616e Offline
Registered User
 
Join Date: Jun 2012
Location: UK
Posts: 2
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Hi, I continually like to reitterate that the USA is not the center of the world. I find it unacceptable to have to pay verisign, I find it unacceptable for even fedora/red hat to own a key to my system. There are plenty of other distrubitions who will be locked out of this system. People who cannot or do not want to pay the $99, this is creating an unevent base for free software... those backed by commerical idiots or those who believe in free software. This is in itself an anti-trust situation in free software. If you guys were a BSD licensed software provider then I would have less objection, but you are a GPL software provider and should follow whatever RMS says. It's not just about what is written in a license agreement it is also about how you participate in the community.

Red Hat should be leading the charge against the current format of Secure Boot, not giving in.... (obviously the american way is to give in to whatever commercial / law suit pressure). Commpanies are law you know.... lol.
If you are not part of the deisgn then you are just a slave to the system, and Fedora will be a slave to Secure Boot, signing and maybe even revocation, increased costs, and many other situations over the next 10 years. Secure boot is just a tip to what is happening on mobile devices, locked down, no root access. ARM should be no special case. It is a PC capable architecture just the same.

The point is secure boot should ship disabled and be an option of the user during first start up. Upon recieving a new system the user is asked if they want to enable, and enters a password, a tamper resistant device then creates the singing keys and stored using this password. It then gives the user the option to sign the currently (pre-installed) operating systems, or install a new operating system and then sign it. I own the keys, end of story. There should be no third party keys on my system, unless I have explicitly put them there. Don't get me started on SSL......


Quote:
Originally Posted by joncr View Post
Many people reacting to all this want people to take to the streets and deploy teams of lawyers to start lawsuits. All that assumes the free software community is large enough and coherent enough to successfully bring enough pressure to bear to change the course of secure boot.

But, the free software community is not coherent. It is fragmented, with multiple players going in their own directions, forking code and forking licenses, behavior that appears from the outside as nothing less than petty religious schisms.

From a practical, PR, angle, how would we keep the public from equating free software's goals re: secure boot with those of criminals who want to break into their online bank accounts?

In addition, what remedy would legal action seek? Stop UEFI secure boot altogether? Block the release of Windows 8? On what basis? Microsoft says secure boot can easily be disabled. Much of the community appears to agree because this and other threads are full of assertions that Red Hat is wrong when it argues that disabling secure boot is too complex for mainstreams users to attempt. Microsoft would be certain to argue that the disabling option is proof that secure boot is not an anti-trust violation.

How would we prevent the public from perceiving legal action as an attack on their security?

(I don't know if disabling UEFI secure boot will be easy. I do know that it could be easy if the boot process is designed to make it easy, instead of burying it three levels deep in technobabble BIOS menus.)

Windows 8 is nearing release. Legal action to block secure boot would take years to come to a final resolution. What course do we take in the meantime? What are the chances that distribution of secure boot- ready hardware can be blocked while legal action winds its way through the appellate courts?

More to the point, plans for UEFI secure boot were not unveiled with Matthew Garrett's posting. They've been public knowledge for a long time. To be blunt, where has the community been?

Perhaps the legal situation in Europe and elsewhere is different.


The public's perception of online security threats has been shaped almost entirely by its experience with Windows. I believe there is no possibility that they will see secure boot as anything other than a good thing. It will be invisible to almost all of them, as well.
Reply With Quote
  #38  
Old 3rd June 2012, 05:51 PM
kurt m Offline
Banned
 
Join Date: May 2011
Posts: 13
linuxfedorafirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by sonoran View Post
There were discussions on the Fedora devel and users mailing lists last week:
http://lists.fedoraproject.org/piper...ne/167732.html
http://lists.fedoraproject.org/piper...ne/418990.html

No decision has been made yet, and those who will make the decision are open to other ideas.
You mean just like they were open to other ideas in regards to Gnome 3 the default desktop?

Yeah,right.
Reply With Quote
  #39  
Old 4th June 2012, 12:20 AM
RupertPupkin Offline
Registered User
 
Join Date: Nov 2006
Location: Detroit
Posts: 5,713
linuxfedorafirefox
Re: Fedora 18 to support UEFI Secure Boot

To the people saying Red Hat should do this and do that, it comes off as armchair quarterbacking, not to mention pissing in the wind. Generic calls for Red Hat to "fight " and other vague generalities are pretty useless. Do you really think Red Hat wanted this? Hell no. People thinking that Red Hat has some enormous influence in the PC market are deluded. Here is the list of the 11 companies making up the UEFI Forum board of directors. Do you see Red Hat on that list? No. And you seriously think those 11 companies are going to do Red Hat -- or Linux in general -- any favors? Not even IBM, which does support Linux, felt the need to. That should tell you something. Some people complaining here have lost touch with reality.

Fedora is not taking away anyone's rights. Anyone will have the option to disable Secure Boot if they want to, and install Fedora or any other distro they want. All this solution -- which is not set in stone and could still change, by the way -- does is make it easier for non-experienced users to install Fedora (plus make it easier for Fedora installs to be automated for companies that use Fedora on the desktop). What is wrong with that? Again, nothing is being taken away. If you don't like Secure Boot, don't enable it. That's what I'm going to do (when I get around to finally upgrading my main machine someday ). You're not using Secure Boot now, and you'll continue to be able to not use it.

The issues with Secure Boot and Linux have been known for a long time. Expect Canonical to follow Red Hat's lead and do the same thing for Ubuntu (i.e. pay the one-time $99 fee to Verisign). Canonical and Red Hat, by the way, are members of the UEFI Forum. They both wanted a different solution, but it appears they were outvoted. Read this article to see some of Canonical's ideas for how Secure Boot "should" have been implemented. Obviously their wishes didn't come to pass. So it's not like members of the Linux community wanted this to happen. We're dealing with the harsh reality of an approximately 1% desktop market share for Linux. Sorry, but we Linuxers simply don't have that much pull, no matter how badly anyone here wants to believe we do.
__________________
OS: Fedora 20 x86_64 | Machine: HP Pavilion a6130n | CPU: AMD 64 X2 Dual-Core 5000+ 2.6GHz | RAM: 5GB PC5300 DDR2 | Disk: 400GB SATA | Video: ATI Radeon HD 4350 512MB | Sound: Realtek ALC888S | Ethernet: Realtek RTL8201N
Reply With Quote
  #40  
Old 4th June 2012, 01:47 AM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,878
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

The problem is that being able to "don't enable it" is also being taken away.

There is nothing directly wrong EXCEPT the inability to set your own certs. Why should a distributor have to pay for it?

Right now, it is a single $99 fee. But in the future it will be a $99 fee for EVERY KERNEL DISTRIBUTED. Including those for kernel updates. And don't forget, driver modules will also have to be signed...

Eventually, I expect the ability to "don't enable it" to be taken away.

Is this what is happening NOW? no, not yet anyway.

I run patched kernels (my own), and even run patched boot modules (occasionally). Will I still be able to put my own boot on there? nope.

And what happens when the key is cracked? will I still be able to boot updates on my old hardware? or will it be blocked due to out-of-date signing certs that can't be replaced?
Reply With Quote
  #41  
Old 4th June 2012, 11:48 AM
bigflopper2 Offline
Registered User
 
Join Date: Dec 2011
Posts: 214
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

@RupertPupkin
we all know M$ (how to stop open source), you really think it's done with a single fee of $99? M$ will take the chance and cause problems for us in the future...

and btw, "1% desktop market" is not true...


"The whip of the overseer will be replaced by the silent compulsion of economic relations"

What du you think, where's M$ role in this context? There you go.



@jpollard
this hits the nail on the head, like I said, M$ will cause problems and you describe the beginnings

Last edited by bigflopper2; 4th June 2012 at 11:52 AM.
Reply With Quote
  #42  
Old 4th June 2012, 01:35 PM
joncr Offline
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,272
macossafari
Re: Fedora 18 to support UEFI Secure Boot

@RupertPupkin is right. The immediate impact of secure boot is on Linux distributors, not users. And they have three choices. 1. Do nothing. 2. Do what Red Hat is proposing. 3. Rant online about how evil MS is and how someone ought to do something.

Options 1 and 3 are equivalent.

The vast majority of computers users will not only accept secure boot, they will welcome it. They *want* their hardware and their software locked down. They don't care at all about source code or building kernels or any of the rest. (Likewise for most Linux users.) They want their PC's and their mobile devices to be as steady and as reliable as their TV's and refrigerators. Efforts by Linux and the free software communities to push back against this will only cement the association the public already makes between those communities and online criminality.

It all sucks, but I think we're stuck with it, like winter in Minnesota.
Reply With Quote
  #43  
Old 4th June 2012, 01:54 PM
bob Online
Administrator (yeah, back again)
 
Join Date: Jul 2004
Location: Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
Age: 69
Posts: 22,204
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Just a thought from a foggy brain, but what does this mean to the hundreds of other distros out there? It's a solution for Fedora, but how many one-man operations are likely to fork out $99 to have their 'buntu clone install on Win8 machines?
__________________
Linux & Beer - That TOTALLY Computes!
Registered Linux User #362651


Don't use any of my solutions on working computers or near small children.
Reply With Quote
  #44  
Old 4th June 2012, 02:08 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,878
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by bob View Post
Just a thought from a foggy brain, but what does this mean to the hundreds of other distros out there? It's a solution for Fedora, but how many one-man operations are likely to fork out $99 to have their 'buntu clone install on Win8 machines?
THAT is the problem.

It will block any new development - unless you can afford to pay and pay and pay...

Eventually I expect MS to not allow Verisign to provide any other certs, no matter what the price.
Reply With Quote
  #45  
Old 4th June 2012, 03:59 PM
mmix Offline
Registered User
 
Join Date: Aug 2009
Posts: 1,146
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

it will be gr8 if F18/F19 support coreboot, i haved tried win8, feeling like vista. ;p
http://www.coreboot.org/Welcome_to_coreboot
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
UEFI Boot Support & Partitioning... R0b0ty Installation, Upgrades and Live Media 7 11th November 2011 02:12 AM
uefi and g200ev text console support balken Using Fedora 0 12th May 2011 08:14 PM
UEFI boot-capable Fedora CD/DVD rdh F14 Development 9 25th October 2010 10:50 PM
Fedora 13 UEFI Boot CD/DVD (none?) rdh Installation, Upgrades and Live Media 1 6th October 2010 08:08 AM
UEFI Boot techguy378 Installation, Upgrades and Live Media 4 26th October 2008 10:01 PM


Current GMT-time: 08:09 (Monday, 24-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Concepcion de La Vega Instagram Photos - Pescara Travel Photos on Instagram - Gamping Lor Travel Photos