Fedora Linux Support Community & Resources Center
  #16  
Old 1st June 2012, 08:26 AM
sonoran Offline
Registered User
 
Join Date: May 2005
Location: Sonoran Desert
Posts: 2,394
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
While Microsoft have modified their original position and all x86 Windows machines will be required to have a firmware option to disable this or to permit users to enrol their own keys, it's not really an option to force all our users to play with hard to find firmware settings before they can run Fedora.
--Matthew Garrett (emphasis mine) http://mjg59.dreamwidth.org/12368.html

Fedora's decision seems to be based on the delusion that vast numbers of its users are too technically inept to go into the BIOS and turn off secure boot. While a plug and play, hassle-free "user experience" (a euphemism I have come to loathe) may be Fedora's goal, in reality they are light-years away from achieving that.

Having a dream is one thing, confusing it with reality quite another.

Quote:
Originally Posted by joncr View Post
I'd wager that the typical computer use has never booted into the BIOS. Garrett is probably correct that requiring that to install Linux is asking too much.
The typical Fedora user is not the same as the typical computer user, which is why Linux as a whole has been stuck at <2% of the market for years.
Reply With Quote
  #17  
Old 1st June 2012, 09:01 AM
hadrons123 Offline
'The Blue Dragon'
 
Join Date: Jan 2011
Location: Pitt,PA
Posts: 1,260
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

What if the hardware vendor doesn't include the option of disabling secureboot in UEFI?
__________________
LENOVO Y580 FHD Intel® Core™ i7-3630QM CPU @ 2.40GHz × 8 |660M GTX NVIDIA | 16 GB SSD
Reply With Quote
  #18  
Old 1st June 2012, 10:23 AM
sonoran Offline
Registered User
 
Join Date: May 2005
Location: Sonoran Desert
Posts: 2,394
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by hadrons123 View Post
What if the hardware vendor doesn't include the option of disabling secureboot in UEFI?
Then don't buy that hardware.
Reply With Quote
  #19  
Old 1st June 2012, 10:29 AM
hadrons123 Offline
'The Blue Dragon'
 
Join Date: Jan 2011
Location: Pitt,PA
Posts: 1,260
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Do you check the UEFI capablities before making a purchase?

Even though secure boot specifications for win 8 requires a way for disabling secure boot option,which is not a rule to be strictly adhered, and what if vendors don't respect it?

I have seen so many HP laptops with very very few options for the user to change.
__________________
LENOVO Y580 FHD Intel® Core™ i7-3630QM CPU @ 2.40GHz × 8 |660M GTX NVIDIA | 16 GB SSD

Last edited by hadrons123; 1st June 2012 at 10:32 AM.
Reply With Quote
  #20  
Old 1st June 2012, 11:48 AM
joncr Offline
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,235
macossafari
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by sonoran View Post
The typical Fedora user is not the same as the typical computer user, which is why Linux as a whole has been stuck at <2% of the market for years.
The possibility exists that some people, at least, would like to see an improvement in those numbers. Moving from Windows to Linux is a big deal for people. This is especially true for people with a single drive populated with data and files they want to preserve. The challenge of getting rid of Windows and installing Linux while preserving those data and files is a risk many won't even consider, no matter what they think of Windows. Anything that makes that move more problematic means fewer people make the move.

It's also worth considering the security and reputational implications of millions of Linux desktops running on hardware with secure boot turned off, while Windows and and OS X and iOS are locked down.

Distrust of Microsoft shouldn't blind us to the reality that the industry is moving to a signed code regime. Linux has to deal with it. Personally, I don't think telling prospective users to disable secure boot is appropriate. (The equivalent may not even be possible on the eventual Apple machines that do this. Apple is out today with a document outlining how signing is used in iOS hardware. The chain starts with signed code embedded in devices at the factory. The odds that Apple will not do the same thing in future Mac and MacBooks is, I believe, effectively nil. )
Reply With Quote
  #21  
Old 1st June 2012, 01:49 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Birmingham, UK
Age: 32
Posts: 2,771
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by RupertPupkin View Post
Garrett's article mentions that users who want to build their own kernel will be able to "generate their own key and enrol it in their system firmware. We'll trust anything that's signed with a key that's present in the firmware."
Indeed, and that's good (thanks Red Hat!), but it shouldn't need a benevolent second layer of signing (as provided by Red Hat's proposed infrastructure). Does UEFI-level secure boot mandate a facility for the administrator to sign their own boot images? If not, then we're still ultimately at the mercy of the central signing authority. They could decide they don't trust Red Hat after all, and then Red Hat's trust in us is useless.
Reply With Quote
  #22  
Old 1st June 2012, 02:40 PM
joncr Offline
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,235
macossafari
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by Gareth Jones View Post
I...f not, then we're still ultimately at the mercy of the central signing authority. They could decide they don't trust Red Hat after all, and then Red Hat's trust in us is useless.
If I understand Garrett correctly, anyone making hardware to sell into the Windows market is in the same position. I.e., they'll be counting on Microsoft not to blacklist a product for reasons that have nothing to do with security.

Anyone know if this also applies to things we plug in rather than install inside the machine? For example, are USB sticks going to need a key blessed by MS?
Reply With Quote
  #23  
Old 1st June 2012, 03:42 PM
JONOR Offline
Registered User
 
Join Date: Aug 2007
Location: Cornwall England
Posts: 333
linuxfirefox
Fedora 18 to support UEFI Secure Boot

It would be nice to have a straw poll asking if the Bios has been adjusted or not,
i have to use it every time a new Fedora install is made.
I imagine the majority on Fedora newbies would be quite comfortable adjusting it.
Reply With Quote
  #24  
Old 1st June 2012, 04:25 PM
srs5694 Offline
Registered User
 
Join Date: Jan 2011
Location: Woonsocket, RI
Posts: 521
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by sonoran View Post
Fedora's decision seems to be based on the delusion that vast numbers of its users are too technically inept to go into the BIOS and turn off secure boot. While a plug and play, hassle-free "user experience" (a euphemism I have come to loathe) may be Fedora's goal, in reality they are light-years away from achieving that.
Even if only 10% of the user base would have problems disabling Secure Boot, can you imagine the chaos if even 10% of those started posting here demanding help? For paid-support versions like RHEL, the costs of providing that support would become a serious problem.

Quote:
Originally Posted by hadrons123
What if the hardware vendor doesn't include the option of disabling secureboot in UEFI?
On x86-64 systems that have the Windows 8 logo, this won't be a problem; Microsoft's requirements for the logo say that there must be a firmware option to disable Secure Boot. This will be an issue for ARM devices that bear the Windows 8 logo, though. For them, it's the other way around; the Windows 8 logo requirements say that there must not be an option to disable Secure Boot.

Quote:
Originally Posted by joncr
Personally, I don't think telling prospective users to disable secure boot is appropriate.
I disagree. From what I've heard, Secure Boot has so many flaws that it's a joke -- or it would be, except that it's poised to cause so many problems. I'm skeptical that it will significantly improve system security, but I'm certain it will cause problems for the open source community. I may change my opinion in the future, of course, and all of this also depends on the OS(es) you run. Keeping Secure Boot enabled makes more sense on a system that dual-boots Linux and Windows than on a Linux-only computer. Personally, I plan to avoid running Windows 8 if at all possible. Metro revolts me, and the recent announcement of a change to the license terms that forbids suing Microsoft in favor of binding arbitration is something to avoided, too.
Reply With Quote
  #25  
Old 1st June 2012, 08:01 PM
sonoran Offline
Registered User
 
Join Date: May 2005
Location: Sonoran Desert
Posts: 2,394
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by joncr View Post
The possibility exists that some people, at least, would like to see an improvement in those numbers.
As would I, but I was referring to the world as it is, not the way we would like it to be.

But the significant feature of that reality is that the desktop market is shrinking, and this will only accelerate in the future. Mobile devices, ARM, and the cloud are the future; I guess it shouldn't surprise or disappoint me that Fedora won't take a stand and fight over what amounts to table scraps.

My criticism was aimed more at the stated reason for the decision than the decision itself. Your other arguments, while beyond my competence, are persuasive. Thanks.
Reply With Quote
  #26  
Old 1st June 2012, 08:36 PM
joncr Offline
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,235
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by sonoran View Post
..the desktop market is shrinking, and this will only accelerate in the future.
Indeed it is, and I think that makes it even more likely that signed code and, in effect, signed hardware, is just around the corner.

It will only take one or two highly publicized pre-boot attacks to shine a spotlight on any OS that requires or recommends disabling secure boot. Whether or not secure boot is actually effective in preventing such attacks is less important than the certain knowledge of millions of Windows users that their machines are vulnerable. That knowledge may not be very sophisticated, but I'd wager most Windows users will be afraid to disable secure boot. Especially if that means Microsoft will disable their machine, which appears to be the case if they run an unsigned Linux.
Reply With Quote
  #27  
Old 2nd June 2012, 04:44 AM
deanej Offline
Registered User
 
Join Date: Nov 2011
Posts: 229
linuxchrome
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by joncr View Post
The possibility exists that some people, at least, would like to see an improvement in those numbers. Moving from Windows to Linux is a big deal for people. This is especially true for people with a single drive populated with data and files they want to preserve. The challenge of getting rid of Windows and installing Linux while preserving those data and files is a risk many won't even consider, no matter what they think of Windows. Anything that makes that move more problematic means fewer people make the move.

It's also worth considering the security and reputational implications of millions of Linux desktops running on hardware with secure boot turned off, while Windows and and OS X and iOS are locked down.

Distrust of Microsoft shouldn't blind us to the reality that the industry is moving to a signed code regime. Linux has to deal with it. Personally, I don't think telling prospective users to disable secure boot is appropriate. (The equivalent may not even be possible on the eventual Apple machines that do this. Apple is out today with a document outlining how signing is used in iOS hardware. The chain starts with signed code embedded in devices at the factory. The odds that Apple will not do the same thing in future Mac and MacBooks is, I believe, effectively nil. )
The numbers won't improve unless Linux starts appearing on pre-built boxes. Most users find the process of installing an OS to be the territory of uber-geeks. Unfortunately interia is pretty strong too; if I had a penny for every time I had to do some computer wizardry to make something I need to do for someone else (typically a company for my college) work properly in Linux or that I've had to reboot into Windows, I'd be rich. For example, any PDF with embedded forms won't work in anything but Adobe Reader. My resume requires Word, as some companies like to do keyword searches on .doc files and LibreOffice isn't good enough at preserving formatting for a resume. Industry standards are very powerful forces.

We really should be opposing the signed code push. And not just by talking, by taking action. Why aren't companies that introduce this stuff sued with anti-trust violations? Why don't the other companies agree to not support it? It would be better for everyone but the would-be monopoly if we did stuff like this. Unless we organize to tell these companies that they have no right to dictate this stuff, we will lose.


Quote:
Originally Posted by joncr View Post
Indeed it is, and I think that makes it even more likely that signed code and, in effect, signed hardware, is just around the corner.

It will only take one or two highly publicized pre-boot attacks to shine a spotlight on any OS that requires or recommends disabling secure boot. Whether or not secure boot is actually effective in preventing such attacks is less important than the certain knowledge of millions of Windows users that their machines are vulnerable. That knowledge may not be very sophisticated, but I'd wager most Windows users will be afraid to disable secure boot. Especially if that means Microsoft will disable their machine, which appears to be the case if they run an unsigned Linux.
We need to fight back on that stuff. "Trusted computing" has absolutely nothing to with whether a user can trust his computer; it's all about whether the RIAA can trust your computer. What we need is a law stating that what something is called should conform to an average user's common sense perception of what something with that name would do.
Reply With Quote
  #28  
Old 2nd June 2012, 08:43 AM
elias12 Offline
Registered User
 
Join Date: May 2012
Location: germany
Posts: 49
linuxchrome
Re: Fedora 18 to support UEFI Secure Boot

Very interesting: http://fsfe.org/campaigns/generalpur...-analysis.html

A further indication of the monopoly in this area. Educating users not to buy such hardware to provide the hardware manufacturers continue to develop independently.
Reply With Quote
  #29  
Old 2nd June 2012, 11:56 AM
joncr Offline
Registered User
 
Join Date: May 2012
Location: NC
Posts: 1,235
macossafari
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by deanej View Post
The numbers won't improve unless Linux starts appearing on pre-built boxes. Most users find the process of installing an OS to be the territory of uber-geeks.
I don't think there is any prospect of that happening. It really has little or nothing to do with Microsoft's behavior in the market. The desktop market is dominated by Microsoft, with Apple making a clear push to dominate the mobile market. That would not change even if both firms began offering Linux (people would turn it down) and MS stopped compelling hardware vendors to load Windows on their hardware. They would do it anyway to satisfy demand.

This creates a de facto standard, People like standards. They do not like an IT environment that compels them to make a lot of choices. From their point of view, that choice amounts to worrying about how to figure out which program/device will work with their existing system. As a result, the IT market has always tended to be dominated by a few big players. [/quote]

Quote:
Originally Posted by deanej View Post
-
We really should be opposing the signed code push. And not just by talking, by taking action. Why aren't companies that introduce this stuff sued with anti-trust violations? fight back on that stuff.
Pushback would be widely seen as playing to the interests of the malware industry. Pre-boot attacks aren't fiction. The Linux community would be portrayed, with some legitimacy, as trying to use the courts to block users from taking legitimate security measures.

I don't know if this constitutes an anti-trust violation. I do know I think it is a hamfistedly wrong approach to a real issue. But, no one is being forced to use secure boot unless they want to run Windows 8. MS would argue that users can run any OS they choose and they would argue that requiring a specific firmware setting for software to run is hardly anything new and unique. [I'd be happier if the UEFI standard permitted unattended software to change the secure boot setting. Then, vendors could ship hardware with it turned off or on, as they chose. Windows would then turn on that option. That would restrict the impact of all this to Windows users.)

I think the Linux community should, as a single entity, create its own key and act as its own vetting agency, bypassing MS altogether. I know the community won't/can't do that. And, that's sad.

Like it or not, we can see the future of hardware by looking at Apple's iPad and iPhones: Locked down hardware, signed and sandboxed software. The public will support this, even be enthusiastic about it, because they want to leave behind the annoying insecure world of Windows. Yes, they might do the same with Linux, But, 20 years down the road, it is very clear they have no interest in that. (Suggestions that we need to "educate" them are silly. People no more want to be educated about computers than they want to be educated about how their TV works.)

Last edited by joncr; 2nd June 2012 at 12:04 PM.
Reply With Quote
  #30  
Old 2nd June 2012, 02:54 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Birmingham, UK
Age: 32
Posts: 2,771
linuxfirefox
Re: Fedora 18 to support UEFI Secure Boot

Quote:
Originally Posted by deanej View Post
"Trusted computing" has absolutely nothing to with whether a user can trust his computer; it's all about whether the RIAA can trust your computer.
Ineed, it all comes back to the usual cartels, conflating "security" and "trust" with their own agendas.

I own the device. I should own the master key*. Otherwise, how can I trust it? I've no problem with companies like Microsoft or Apple etc. offering signing as a free security service to their customers, or even setting the default configuration on pre-installed machines to trust their signatures without bothering the user, but the owner of the machine should always have ultimate control of signing and signature trust – that's pretty fundamental for a general-purpose computer.

* As soon as I posted this, I realized that it'd be read as "master crypto key", so I better clarify I meant it metaphorically, in the sense that a general-purpose computer that I own should never be locked against me.

Last edited by Gareth Jones; 2nd June 2012 at 02:58 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
UEFI Boot Support & Partitioning... R0b0ty Installation, Upgrades and Live Media 7 11th November 2011 01:12 AM
uefi and g200ev text console support balken Using Fedora 0 12th May 2011 07:14 PM
UEFI boot-capable Fedora CD/DVD rdh F14 Development 9 25th October 2010 09:50 PM
Fedora 13 UEFI Boot CD/DVD (none?) rdh Installation, Upgrades and Live Media 1 6th October 2010 07:08 AM
UEFI Boot techguy378 Installation, Upgrades and Live Media 4 26th October 2008 09:01 PM


Current GMT-time: 23:32 (Saturday, 25-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Schwarzenberg Photos - Dizangue Photos - Mundgod