Fedora Linux Support Community & Resources Center
  #1  
Old 31st May 2012, 04:56 PM
bigflopper2 Offline
Registered User
 
Join Date: Dec 2011
Posts: 214
linuxfirefox
Fedora 18 to support UEFI Secure Boot

Matthew Garrett, kernel developer at Red Hat, has given details of the plans to ship Fedora 18 with the ability to boot under UEFI secure boot. The Secure Boot technology of UEFI will be enabled by default on future Windows 8 hardware and is designed to ensure that only appropriately digitally signed operating systems will boot.

As the only company actively pursuing this signing was Microsoft, the requirement had led many to conclude that Microsoft was locking other operating systems out of future PCs. Microsoft modified their position to allow x86 Windows machines to disable the secure boot option or to allow users to enrol their own keys, but Garrett says that "it's not really an option to force all our users to play with hard-to-find firmware settings before they can run Fedora".


http://www.h-online.com/open/news/it...t-1588057.html
Reply With Quote
  #2  
Old 31st May 2012, 05:49 PM
Penguinclaw Offline
Registered User
 
Join Date: Jul 2009
Location: UK
Posts: 146
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Areeing to hook up with Microsoft for $99 so we can use their signing service..... bit unpleasant. They seem hell bent on making money out of everyone. I wonder how this sits with Fedoras principle of supplying only free software? Also I feel sorry for the small one man Linux distros that are struggling financially as it is.

Personally I think the whole thing stinks and they should be investigated for trying to monopolise the computer world
__________________
OSS - the way forward
Reply With Quote
  #3  
Old 31st May 2012, 06:18 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Birmingham, UK
Age: 32
Posts: 2,771
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

I'm not sure that this is a politically clever move by Red Hat and Fedora with respect to the Linux community. It sets a precedent which has implications. Still, as long as the kernel and GRUB limitations are disabled when I disable "secure" boot I can live with it.
Reply With Quote
  #4  
Old 31st May 2012, 07:58 PM
bigflopper2 Offline
Registered User
 
Join Date: Dec 2011
Posts: 214
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by Penguinclaw View Post
Areeing to hook up with Microsoft for $99 so we can use their signing service..... bit unpleasant. They seem hell bent on making money out of everyone. I wonder how this sits with Fedoras principle of supplying only free software? Also I feel sorry for the small one man Linux distros that are struggling financially as it is.

Personally I think the whole thing stinks and they should be investigated for trying to monopolise the computer world
there is nothing to add in my mind
Reply With Quote
  #5  
Old 31st May 2012, 10:03 PM
joncr Online
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,233
macossafari
Re: Fedora 18 to support UEFI Secure Boot

I'd wager that the typical computer use has never booted into the BIOS. Garrett is probably correct that requiring that to install Linux is asking too much.

As I understand this, a user dual booting Windows and an unsigned Linux, essentially an unsigned Linux boot loader, is likely to find that boot loader blacklisted by Microsoft, with the result that an eventual Microsoft update will render Windows, if not the machine, unbootable. That prospect would be a serious roadblock to attracting new people to Linux.

Apple is at least as committed to signing as Microsoft, so I would expect them to either go along with the MS scheme or implement their own. If that happens, and if the only way to run Linux is to disable secure boot, then Linux users will become the prime target for pre-boot malware.

We are rapidly heading to a world with signed software and signed hardware and all that implies. Linux, as a community, needs to come to terms with that. Spouting invective against Microsoft or Red Hat won't help at all. Ideas might.
Reply With Quote
  #6  
Old 31st May 2012, 10:03 PM
witek Offline
Registered User
 
Join Date: Oct 2009
Posts: 115
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Microsoft won once again - it dictates which operating system one can boot on one`s hardware.
Reply With Quote
  #7  
Old 31st May 2012, 11:06 PM
RupertPupkin Offline
Registered User
 
Join Date: Nov 2006
Location: Detroit
Posts: 5,679
linuxfedorafirefox
Re: Fedora 18 to support UEFI Secure Boot

From the discussion on slashdot it seems like a lot of nonsense is being spread about this by people who hate Red Hat (mostly users of other distros who for some reason don't like how successful Red Hat has been) and have trouble with reading comprehension. This is a one-time $99 fee (yes, 99 whole dollars!) that is just a convenience for inexperienced users who don't want to (or, more likely, incapable of figuring out how to) go into the UEFI setup and disable Secure Boot (or enroll their own keys). That's right, $99 paid exactly once by Red Hat, not by anyone else or by any users.

Red Hat's Matthew Garrett explains it in this article:
Quote:
We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.

An alternative was producing some sort of overall Linux key. It turns out that this is also difficult, since it would mean finding an entity who was willing to take responsibility for managing signing or key distribution. That means having the ability to keep the root key absolutely secure and perform adequate validation of people asking for signing. That's expensive. Like millions of dollars expensive. It would also take a lot of time to set up, and that's not really time we had. And, finally, nobody was jumping at the opportunity to volunteer. So no generic Linux key.

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
As Garrett says, this solution is not ideal but was the "least worst" one, and I agree. For both newbies and companies it will lower the "barrier for entry" to Fedora. For experienced users it won't even be an issue, as they will know how to disable Secure Boot in the UEFI setup so they can install whatever distro or OS they want. All for the measly one-time price of $99 (as someone on slashdot said, that $99 is less than it would cost Red Hat to even discuss the issue for 15 minutes with their attorneys ).

People should read that article before jumping to conclusions. As someone on slashdot said, there's a tendency for FUD to be spread by "people who don't have the foggiest idea of what's going on but see 'M$' and instantly go full retard." To that I would add that there is a segment of Linux users who go "full retard" over anything Red Hat does involving money (OMG, $99 to M$!, I'm boycotting Red Hat! ).
__________________
OS: Fedora 20 x86_64 | Machine: HP Pavilion a6130n | CPU: AMD 64 X2 Dual-Core 5000+ 2.6GHz | RAM: 5GB PC5300 DDR2 | Disk: 400GB SATA | Video: ATI Radeon HD 4350 512MB | Sound: Realtek ALC888S | Ethernet: Realtek RTL8201N
Reply With Quote
  #8  
Old 31st May 2012, 11:28 PM
dd_wizard Online
Registered User
 
Join Date: Sep 2009
Posts: 1,435
linuxfedorafirefox
Re: Fedora 18 to support UEFI Secure Boot

And it didn't even go to Microsoft! What's the big deal about paying Verisign a $99 signing fee? This thread is good reading. A lot of thought went into the decision, and the people involved in making it would love for someone to suggest a better alternative.

dd_wizard
Reply With Quote
  #9  
Old 31st May 2012, 11:49 PM
Penguinclaw Offline
Registered User
 
Join Date: Jul 2009
Location: UK
Posts: 146
windows_7firefox
Re: Fedora 18 to support UEFI Secure Boot

Don't get me wrong I am NOT slagging Red Hat or Fedora... my question was on the ethics from Fedoras standpoint. As you can see from the os I'm posting from I do use Microsoft (although morally I'd be happier not to). I think it would be nice of perhaps Microsoft and venders in helping the Linux community in using this (actually great) security feature.

I see these Golliath corporations making billions and I think to myself "Why can't they put something back into the computer world". I really don't think that as a desktop, Linux will ever be able to seriously compete with them. But we add as developers, programmers, even users so much back to the computer world; often for no financial gain. My interest is computers. My OS of choice is Linux, but I help many people I know sort out their pc problems for free.

So if any big wigs at MS, Asus etc read this; please think about what you could do.
__________________
OSS - the way forward
Reply With Quote
  #10  
Old 31st May 2012, 11:51 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Birmingham, UK
Age: 32
Posts: 2,771
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by joncr View Post
We are rapidly heading to a world with signed software and signed hardware and all that implies. Linux, as a community, needs to come to terms with that.
It's not something that can be "come to terms with". Only allowing software to run that has been signed (by a central authority) is fundamentally incompatible with free/open-source software, at least from a programmer's point of view. Yes, a distro can have its software signed, thus hiding the problem from normal users, but the only way Red Hat can get Fedora signed by Microsoft/whomever (the whoever is frankly irrelevant, I've no more problem with MS than I have with Apple or Google, or Red Hat or any other authority that isn't me frankly), is to have a "shim" boot-loader that the user never modifies, and to sign GRUB, the kernel, and any modules itself, and enforce signed-code only, at least in ring 0.

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I, the user, administrator and legal owner of this machine, compiled/wrote/want this, I trust it, deal with it", then it's a problem. Luckily, for now, "trusted" boot can still be disabled.

Last edited by Gareth Jones; 1st June 2012 at 12:05 AM. Reason: Rephrased part of it.
Reply With Quote
  #11  
Old 31st May 2012, 11:55 PM
Penguinclaw Offline
Registered User
 
Join Date: Jul 2009
Location: UK
Posts: 146
windows_7firefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by Gareth Jones View Post
It's not something that can be "come to terms with". Only allowing software to run that has been signed (by a central authority) is fundamentally incompatible with free/open-source software, at least from a programmer's point of view. Yes, a distro can have its software signed, thus hiding the problem from normal users, but the only way Red Hat can get Fedora signed by Microsoft is to have a "shim" boot-loader that the user never modifies, and to sign GRUB, the kernel, and any modules itself (and enforce signed-code only, at least in ring 0).

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I compiled\/wrote this, I trust it, deal with that", then it's a problem. Luckily, for now, "trusted" boot can still be disabled.
+1 Totally in agreement
__________________
OSS - the way forward
Reply With Quote
  #12  
Old 1st June 2012, 12:07 AM
RupertPupkin Offline
Registered User
 
Join Date: Nov 2006
Location: Detroit
Posts: 5,679
linuxfedorafirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by Gareth Jones View Post
Unless the system allows me to compile/write my own kernel code, and sign it myself as "I compiled\/wrote this, I trust it, deal with that", then it's a problem.
Garrett's article mentions that users who want to build their own kernel will be able to "generate their own key and enrol it in their system firmware. We'll trust anything that's signed with a key that's present in the firmware."
__________________
OS: Fedora 20 x86_64 | Machine: HP Pavilion a6130n | CPU: AMD 64 X2 Dual-Core 5000+ 2.6GHz | RAM: 5GB PC5300 DDR2 | Disk: 400GB SATA | Video: ATI Radeon HD 4350 512MB | Sound: Realtek ALC888S | Ethernet: Realtek RTL8201N
Reply With Quote
  #13  
Old 1st June 2012, 12:11 AM
joncr Online
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,233
macossafari
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by Gareth Jones View Post
It's not something that can be "come to terms with". Only allowing software to run that has been signed (by a central authority) is fundamentally incompatible with free/open-source software, at least from a programmer's point of view. Yes, a distro can have its software signed, thus hiding the problem from normal users, but the only way Red Hat can get Fedora signed by Microsoft is to have a "shim" boot-loader that the user never modifies, and to sign GRUB, the kernel, and any modules itself (and enforce signed-code only, at least in ring 0).

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I compiled\/wrote this, I trust it, deal with that", then it's a problem. Luckily, for now, "trusted" boot can still be disabled.
I agree 100 percent. But, I'm not a developer. There's a similar fuss going on in the Apple world where developers will be required to get their products vetted and signed before they can appear in one of the App stores. I'm a Mac user, too, so I sympathize with those developers, but only so much.

When I argue we need to come to terms with it, that reflects my confidence that there is nothing we can do about it.

If MS is going to be pushed to change its plans, I suggest the effort be to convince them to avoid the "your hardware won't work unless we say so" approach and simply warn Windows users when pre-boot malware has been found. They can even disable Windows, for all I care. Their ability to disable or effectively outlaw other software should be resisted, through the courts, preferably.

I.e., I think MS has right to determine if a user's machine is harboring code that threatens to infect other machines running Windows. I think they have a right to react to that as they choose as long as those actions are restricted to the Windows ecology. That's as far as it goes.

Realistically, though, unless someone mounts a concerted legal challenge, I don't think MS will change course.
Reply With Quote
  #14  
Old 1st June 2012, 12:17 AM
dd_wizard Online
Registered User
 
Join Date: Sep 2009
Posts: 1,435
linuxfedorafirefox
Re: Fedora 18 to support UEFI Secure Boot

My favorite quote from the replies to mjg's blog:
Quote:
Re: Totally unacceptable
Date: 2012-05-31 09:16 pm (UTC)
From: (Anonymous)
"They would have had enough corporate and market power to prevent this situation from arising."

You're labouring under a huge misconception here. We don't have such power, quite simply.

Note pjones' caveat about the Windows 8 *Client* logo. As he says, this does not apply to servers. He invites you to draw your own conclusion. The obvious conclusion is that the combined 'corporate and market power' of people who write server OSes (us, and others), people who manufacture servers, and people who use them is such that they don't want this mess in that market, and it won't be. Fine.

But no, Red Hat absolutely does not have the 'corporate and market power' to impose our desires on the consumer PC hardware market. You'd like if it we did. I'm sure we'd like it if we did. But we don't.

--adamw
Adam summed it up pretty well, and I love the implications for MS in the server world.

dd_wizard
Reply With Quote
  #15  
Old 1st June 2012, 12:29 AM
Penguinclaw Offline
Registered User
 
Join Date: Jul 2009
Location: UK
Posts: 146
windows_7firefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by joncr View Post
Realistically, though, unless someone mounts a concerted legal challenge, I don't think MS will change course.
Maybe a job for the EU as they forced MS to offer other web browsers by default other than IE to the user ( in Europe anyway!). Not sure about the US political system but I'm sure freedom is a personal right in America. If enough stink is created, politicians usually think "I could get votes out of this"!

---------- Post added at 12:29 AM ---------- Previous post was at 12:25 AM ----------

Quote:
Originally Posted by dd_wizard View Post
My favorite quote from the replies to mjg's blog:

Adam summed it up pretty well, and I love the implications for MS in the server world.

dd_wizard
Totally agree. Unfortunately
__________________
OSS - the way forward
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
UEFI Boot Support & Partitioning... R0b0ty Installation, Upgrades and Live Media 7 11th November 2011 01:12 AM
uefi and g200ev text console support balken Using Fedora 0 12th May 2011 07:14 PM
UEFI boot-capable Fedora CD/DVD rdh F14 Development 9 25th October 2010 09:50 PM
Fedora 13 UEFI Boot CD/DVD (none?) rdh Installation, Upgrades and Live Media 1 6th October 2010 07:08 AM
UEFI Boot techguy378 Installation, Upgrades and Live Media 4 26th October 2008 09:01 PM


Current GMT-time: 17:55 (Monday, 20-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Khargon - Zalaegerszeg Travel Photos on Instagram - Geretsried Instagram Photos