×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Red Hat Clarifies Doubts Over UEFI Secure Boot Solution

Unknown Lamer posted about 2 years ago | from the there-goes-freedom-one dept.

Red Hat Software 437

sfcrazy writes "Red Hat's Tim Burke has clarified Fedora/Red Hat's solution to Microsoft's secure boot implementation. He said, 'Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.'" Color me unimpressed, and certainly concerned: "A healthy dynamic of the Linux open source development model is the ability to roll-your-own. For example, users take Fedora and rebuild custom variants to meet personal interest or experiment in new innovations. Such creative individuals can also participate by simply enrolling in the $99 one time fee to license UEFI. For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost." From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

437 comments

So where's the security? (5, Insightful)

TheRaven64 (641858) | about 2 years ago | (#40231129)

If anyone can pay $99 to get a key that lets them install malware in anyone's firmware, then there is obviously no security in the system. I'd have thought this would be excellent grounds for an antitrust investigation...

Re:So where's the security? (1, Insightful)

ledow (319597) | about 2 years ago | (#40231303)

The point is probably that it wouldn't be "anyone's" firmware. What they are saying is that you can get a personal key, which you can manually add to your machines as a trusted key. For $99.

It doesn't mean that you can take you personal key and automatically install it on every computer and thus destroy their trusted boot mechanism or "replace" the Microsoft key with your own. You still can't tamper with the OS on any machine for which you don't have permission or access to modify the trusted boot keys. All you can do is affect machines you already control (i.e. you get to pay for the privilege of installing your own OS on your own computer).

That said, I think Red Hat are being too blinkered here. The whole point of the fight against UEFI is not that you can get a key, it's that you need to be able build machines where you CAN change the key, add your own, or turn off the damn functionality yourself. And those machines need to be the default standard, not some "premium" service available only to the Google's and Dell's of the world.

Hopefully, the whole trusted-key junk will die a death soon or someone will enforce a standard that lets you turn it off. Why *can't* I be given machine that can boot whatever the hell it likes, including legacy OS? That's a question for big businesses that has real implications for keeping their systems running. If I were running a military-grade system, yeah, UEFI boot with trusted keys is a good extra layer to have, but on a home PC (and thus, in ten year's time, everyone's tablets, smarphones, etc. following suit)?

Re:So where's the security? (4, Informative)

neokushan (932374) | about 2 years ago | (#40231461)

Not quite, summary:

For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.

The $99 license is for if you want to distribute yours to other machines. The point is that it's a price that hits a line between "too expensive and will put vendors out of business" and "So cheap any asshat can get one". What it boils down to is the CA correctly authenticating the buyer, if malware vendors get a key signed by them it's the CA's fault.

Now someone who buys a key and recklessly leaves it lying around an insecure place, on the other hand, is a different matter....

Re:So where's the security? (1)

Anonymous Coward | about 2 years ago | (#40231667)

What it boils down to is the CA correctly authenticating the buyer, if malware vendors get a key signed by them it's the CA's fault.

Don't worry! They will swiftly disclaim all liability and describe their service as "best effort only" long before issuing these keys. See, they thought of that just like you did.

A little background: CAs are not known for their thorough application of due diligence when it comes to "authenticating" people who want to give them money. I mean some are better than others but it's not going to remove the need to maintain good host security. Besides, assuming UEFI perfectly prevents all malware from modifying the OS (installing rootkits etc), that won't protect you from malware that can run as unprivileged users.

Re:So where's the security? (1)

Anonymous Coward | about 2 years ago | (#40231709)

I sure am glad that there have been so many incidents to solidify my faith in CA actions over the last year...

Re:So where's the security? (1)

Anonymous Coward | about 2 years ago | (#40231751)

How does this affect those of us that support family members computers?

I for one, support a number of computers that I don't _personally_ own, but eventually will have to do OS upgrades or reinstalls due to Malware/Virus infection.

Does this mean I will have to get a key for A) each machine, or B) everytime I reinstall?

This has not been made clear, and really would like to see the option to shut this mechanism off.

Re:So where's the security? (1)

gbjbaanb (229885) | about 2 years ago | (#40231319)

that's true, except the scammer would have to first appear legit, I wonder if the russian mafia has any fronts that can do that???

What would be useful is if RH got themselves a key, based on the Microsoft one (and therefore effectively un-cancellable) and then allowed downstream distros (including self-rolled ones) to use it too (yes, you know where I'm going with this).

As there's about as much security in the system as windows update, they might as well do this if they can't scrap the idea completely.

Re:So where's the security? (1)

drinkypoo (153816) | about 2 years ago | (#40231421)

I wonder if the russian mafia has any fronts that can do that???

I don't know about that, but any government can issue a passport and fake credentials to a person, and make sure they get on the priority visa list.

Re:So where's the security? (2)

betterunixthanunix (980855) | about 2 years ago | (#40231539)

the scammer would have to first appear legit

Microsoft: What do you think gives you the right to install your own bootloader, Mr. Mafia Guy? Scammer: I am deploying my own Linux Distro! Microsoft: $99 please!

Re:So where's the security? (4, Informative)

itsthebin (725864) | about 2 years ago | (#40231327)

notwithstanding that we have just had news of a major security breach that used Microsoft security certificates

Re:So where's the security? (2, Insightful)

Anonymous Coward | about 2 years ago | (#40231361)

If anyone can pay $99 to get a key that lets them install malware in anyone's firmware, then there is obviously no security in the system

Not really. If you get a signing key, you will be registered, and any malware can be tracked back to you. So "anyone" cannot do this. Only large corporations, with no liability, and lots of money, will be able to install malware from now on. YEAH!

Re:So where's the security? (5, Insightful)

vlm (69642) | about 2 years ago | (#40231483)

So "anyone" cannot do this. Only large corporations, with no liability, and lots of money, will be able to install malware from now on

Luckily large corporations never have data breeches, so its not like you'll be able to go to wikileaks or pirate bay to get a copy of the MS secret key, or the Dell key, etc.

That large integer will of course be made illegal, so only private citizens will have unsecured systems. The hard core crooks and the slightly-bent will of course have free reign over everyones system.

I'm sure they'll be another moronic legal battle where some 256 bit or 2048 bit or whatever integer is declared persona non-grata on the internet, stupid restraining orders, blah blah blah, all over again.

Who wants to buy a tee shirt with Microsofts UEFI secret key on it? I give it a couple months till someone releases it, maybe even before the hardware hits the shelves, and a couple hours later I'll fetch it from pirate bay or whatever, and a couple hours later I'll put up a shirt design. Just to be a complete A-hole I'll also make shirts that have equations, too, so it'll be something like 32523136136 minus 1.

I'll go further with my prediction. Malware will be found signed with a legit "major corporate" key BEFORE legit hardware/software using "major corporate" key hits the shelves, in at least one instance. In other words your new Dell, for example, will be ownable before you can even buy it.

Re:So where's the security? (5, Funny)

vlm (69642) | about 2 years ago | (#40231535)

Oh genius hits milliseconds after I hit the Fing submit button... A tee shirt with a QR code of the official microsoft secret signing key with iconic 1984 or maybe animal farm styling.

Coming soon, from VLM enterprises...

Re:So where's the security? (5, Insightful)

Anpheus (908711) | about 2 years ago | (#40231615)

You're confusing the keys that have previously been publicly available and the private keys here. Unlike the previous keys, this isn't part of a DRM scheme where the user has to be able to decrypt content and simultaneously "not have" the key to do so. DRM is fundamentally flawed in that regard, and DRM schemes are routinely broken because they cannot both obscure the content and show it to you at the same time. At some point, your computer has to possess the ability to unlock the next frame, and smart people figured out how to copy that. Ta-da, AACS key, or HDCP master key. Those weren't failures of public key cryptography, they were leaked because the universe is at odds with DRM.

What private keys of note have been hacked? Recently, a weak Microsoft intermediate certificate key was exploited to use to generate code signing certs, but that was a weak key with a poor algorithm (MD5 hashed thumbprint). Or Sony's private key for the PS3? Well, they implemented their crypto wrong, one of the supposed-to-be-random parameters was instead hardcoded as a constant. Oops.

Dell, Microsoft, the big players, they all work very hard to make sure their private keys are secure. Would you care to take a wager on whether or not the Microsoft root key will be released within the next year? (By root I mean whatever key is the common root used to sign a plurality of UEFI signed bootloaders, if they use many intermediate CAs, it would have to be whatever key is for all of those CAs. If they use one intermediary that signs a majority of the bootloaders, then it must be that one - does not have to be _the_ Microsoft key.)

Re:So where's the security? (0)

Anonymous Coward | about 2 years ago | (#40231819)

RSA? Would they be considered a "big player"?
They had the salt keys stolen, and didn't bother to mention it to anyone for months (or years?) after the fact, knowing that businesses were using those keys for encryption leaving them vulnerable.

Re:So where's the security? (4, Insightful)

betterunixthanunix (980855) | about 2 years ago | (#40231653)

If you get a signing key, you will be registered, and any malware can be tracked back to you. So "anyone" cannot do this.

So all it really takes is a stolen credit card?

Re:So where's the security? (5, Insightful)

Hatta (162192) | about 2 years ago | (#40231469)

Microsoft learned after their last antitrust investigation, and increased their political contributions by an order of magnitude [opensecrets.org], without changing their business practices at all. Now that Microsoft has paid the appropriate protection money, they can do whatever they want.

Re:So where's the security? (1)

MickyTheIdiot (1032226) | about 2 years ago | (#40231821)

Not to mention that you have one of two choices if a key is breached:

1) The hardware is forever "untrusted" or

2) You have to put in a way to *easily* (i.e. not some BIOS procedure magical to the user) fix breached keys, in which you necessarily create a way for malware writers to install their own key.

BRILLIANT. Well thought out, M.S... as always.

User key management (4, Interesting)

Junta (36770) | about 2 years ago | (#40231149)

self-register their own trusted keys on their own systems at no cost.

How? Most reasonable mechanisms that could be envisioned would likely be considered an 'attack vector' in certain scenarios. I'm genuinely curious as to the mechanisms allowed for end-user key management in this sort of system.

Re:User key management (2)

robmv (855035) | about 2 years ago | (#40231515)

Using to the UEFI settings in your firmware. there is no automated way to do it, the 'attack vector' possibility is the reason. Red Hat will use this method of signing the bootloader using Microsoft signing services to help the common user to install a Linux distribution without messing with scary UEFI screens. The real problem now is: Will hardware vendors always provide a screen to add/change the keys?. Unless it is enforced by Microsoft Windows OEM licensing rules (not know about this) or government regulation, The answer is not every manufacturer will provide that

Re:User key management (0)

Anonymous Coward | about 2 years ago | (#40231803)

Based on my experience with ACER they wont. I can't even enable hardware virtualization on my devices.

Re:User key management (2)

MickyTheIdiot (1032226) | about 2 years ago | (#40231849)

See my other post...

If the signing key is breached (not out of the question with MS's track record recently) then the hardware is permanently untrusted.

So you have to make the hardware trusted again.

Sounds like a boon to Dell and to computer shops to me, unless you create a simple way for a user to fix the problem, at which point your purpose was defeated.

I hope a gang of lawyers (2, Insightful)

FudRucker (866063) | about 2 years ago | (#40231181)

rips Microsoft a "new one" in a class action and/or anti-trust suit

and Fedora/Redhat are feeble minded idiots for paying Microsoft,

Re:I hope a gang of lawyers (0)

Anonymous Coward | about 2 years ago | (#40231241)

They're not paying Microsoft, that money goes to Verisign. And you do realize that lawyers are just the representatives of wrongly damaged parties, and that third parties don't just file lawsuits against entities that they think are doing something to other people? A class action suit isn't going to happen just because lawyers want it to, claimants have to be charging some kind of provable damages.

Re:I hope a gang of lawyers (1)

DarwinSurvivor (1752106) | about 2 years ago | (#40231325)

Actually, some lawyers start class actions all on their own, then find people that they can "represent" in it just so they can get paid. Ever seen the "you may be entitled to compensation" advertisements on TV? Yeah, guess who pays for THOSE!

Re:I hope a gang of lawyers (0)

Anonymous Coward | about 2 years ago | (#40231557)

The courts have to grant you the right to actually start a class action suit, you need to have parties that have been damaged. A lawyer could always go out looking for people first, but that doesn't count as "starting" a class action suit, and it still requires wronged parties.

Re:I hope a gang of lawyers (0)

Anonymous Coward | about 2 years ago | (#40231753)

Yes, generally the lawyer pays for those, partly because they are legally required to notify members of a class of the class action suite prior to going to trial (admittedly they also want as many people in the class as possible to maximize damages). However, that has nothing to do with starting a class action, as an advertisement of that type would be illegal unless the class has already been certified.

Re:I hope a gang of lawyers (0)

Anonymous Coward | about 2 years ago | (#40231359)

It's not Microsoft that needs to be facing the suits, it's the hardware manufacturers. Once a few of them have gone bust (because unlike Microsoft, they don't have the margins to afford the loss) the others will learn that following Microsoft's specs is no longer the path to profit.

Re:I hope a gang of lawyers (0)

Anonymous Coward | about 2 years ago | (#40231765)

No longer? Name one hardware manufacturer that isn't aware of that now, but has no other alternative (no linux is not an actual alternative for most people buying computers)

Re:I hope a gang of lawyers (3, Informative)

cryptizard (2629853) | about 2 years ago | (#40231391)

It has been stated many times, the fee is not going to Microsoft but Verisign. Essentially Red Hat is gaining the ability to run their own root of trust by having a signed "stage 0" bootloader that will in turn load any image signed by Red Hat's private key. This micro-bootloader will most likely just chain load a special version of grub that will verify the kernel is signed by a correct key (at this point, any key that Red Hat wants). I really don't see the problem with any of this. As they said in the first report, any big name, trustable Linux organization could volunteer to get their root key signed using this same arrangement and then run a free, open root of trust that could verify other distributions. The problem is no one wants that kind of responsibility. The only downside to this whole mess is that not all motherboards will offer you the ability to install your own root certificates, which could impact the ability to homebrew a Linux distro, but in the end people that care about that kind of thing will only but motherboards that have that ability.

Re:I hope a gang of lawyers (3, Informative)

Anonymous Coward | about 2 years ago | (#40231893)

The problem is no one wants that kind of responsibility. The only downside to this whole mess is that not all motherboards will offer you the ability to install your own root certificates, which could impact the ability to homebrew a Linux distro, but in the end people that care about that kind of thing will only but motherboards that have that ability.

The point of open-source is to be able to run any code you want, not just those signed by large corporations. Users, previously not belonging to your elite category, who bought a motherboard without checking, and who now realise the benefits of a custom kernel, will find that they have no option but to buy a new machine.

trust Microsoft you say? (0)

Anonymous Coward | about 2 years ago | (#40231205)

Stuxnet, Duqu, etc...I could go on

Re:trust Microsoft you say? (0)

Anonymous Coward | about 2 years ago | (#40231299)

I could go on

And we all thank you for not doing so.

Microchannel Anyone? (0)

Anonymous Coward | about 2 years ago | (#40231209)

UEFI has the same stench Microchannel did, back in the day.
http://en.wikipedia.org/wiki/Micro_Channel_architecture

MS's last dual-boot solution worked so well (2, Informative)

WillAdams (45638) | about 2 years ago | (#40231261)

for the other side of the house....

They advocated for a dual-boot system which would allow Windows for Pen Computing to co-exist along w/ Go Corporation's PenPoint OS --- then pulled the plug after the first systems were announced.

Jerry Kaplan's _StartUp_ should be required reading for anyone considering doing business w/ Microsoft.

It's ludicrous that one could purchase a system and then not be allowed to install arbitrary software on it --- why can't there be a mechanism for instantiating a particular key on a system which one has physical access to?

William

Let me predict the future here. (4, Insightful)

Anon-Admin (443764) | about 2 years ago | (#40231275)

It will be released but not all the hardware vendors will sign on. Loads of tech people, like the ones here, will not buy it. It will flounder for a few years then eventually die off and go the way of microchannel.

Ill toss this one up there with Divix-DVD's and there pay per view, Sony memory standards, Micro-channel, and many other crappy ideas.

Re:Let me predict the future here. (3, Interesting)

DarwinSurvivor (1752106) | about 2 years ago | (#40231343)

Except there's a new twist this time. Microsoft is REQUIRING secure-boot if OEM's want to put the "ceritified for windows" sticker on the machine. Believe it or not, that sticker is worth a LOT to OEM's.

Re:Let me predict the future here. (1)

clonehappy (655530) | about 2 years ago | (#40231435)

And will secure boot not have an "off" switch? I would assume it will. Just like how I never install the drivers for the "TPM" when I rebuild an image.

Sure, Windows will refuse to boot if secure boot is turned off, but isn't that a feature, anyway?

Re:Let me predict the future here. (0)

Anonymous Coward | about 2 years ago | (#40231637)

ALL X86 machines will have an off switch for secure boot. If you turn Windows will still boot (Although I assume with a warning).

What's happening is it's a useful feature that other companies want access to, so Microsoft is giving them the ability to ship their own operating systems which will also work under secure boot. To be honest, they'd probably be looking at anti-trust scrutiny if they DIDN'T do this...

Re:Let me predict the future here. (0)

Anonymous Coward | about 2 years ago | (#40231787)

The problem is this: even if there IS an "off switch", over time increasing amounts of online activities and media consumption will require you to be booted under such an environment. Eventually, you won't be able to do online banking, for example, without being on a "trusted platform". As more and more things become closed off to those running free OSs, those free OSs become less and less useful for real world computing needs, and thus, are squeezed out of existence.

Re:Let me predict the future here. (4, Informative)

DigiShaman (671371) | about 2 years ago | (#40231449)

And without OEMS, effectively you have no PC industry. Fact is, members of Slashdot including myself are the minority here. We are not going to change the way OEMs do business with Microsoft. Period. End of story.

Re:Let me predict the future here. (1)

vlm (69642) | about 2 years ago | (#40231611)

Believe it or not, that sticker is worth a LOT to OEM's

Count me as "not". The DVD and music cd standards groups thought round shiny optical media was worthless to consumers without their stamp of approval logo, the first thing all consumers do before buying shiny disks is look for the official CD/DVD logo. However, it turns out in the real world that no one cares about a stamp of approval, as long as it works.

Re:Let me predict the future here. (1)

Anonymous Coward | about 2 years ago | (#40231725)

Believe it or not, that sticker is worth a LOT to OEM's

Count me as "not". The DVD and music cd standards groups thought round shiny optical media was worthless to consumers without their stamp of approval logo, the first thing all consumers do before buying shiny disks is look for the official CD/DVD logo. However, it turns out in the real world that no one cares about a stamp of approval, as long as it works.

Uh huh, and what OEM are you? Oh, what's that? You're NOT an OEM? Huh. Well, then, please, by all means, shut the fuck up, the GP was talking about OEMs.

Re:Let me predict the future here. (0)

Anonymous Coward | about 2 years ago | (#40231631)

do people actually look for "certified for windows" on their computer products?

Re:Let me predict the future here. (1)

gbjbaanb (229885) | about 2 years ago | (#40231397)

plenty of hardware vendors will sign on - Microsoft will only let them pre-install Windows if they have it, and so Dell, HP, Asus, etc will all have this crap setup and rocking from day 1.

Re:Let me predict the future here. (1)

Anon-Admin (443764) | about 2 years ago | (#40231445)

and most tech people build there own systems buying off the shelf parts. We also recommend systems to family and friends, and unlike most of the places I have worked, family and friends listen to me.

So, Will Dell, HP, and other BIG BOX providers take it.... Sure, they also had micro-channel. That does not mean it will take off or last. It will probably last longer on the server side. However, that is where this scheme will face it's biggest challenges as the list of server OS providers is much larger than the list of Desktop OS providers.

Re:Let me predict the future here. (0)

Anonymous Coward | about 2 years ago | (#40231763)

I'm a little confused by this. I won't be buying a laptop for a long time (until this horrid crap goes away, anyway), but all my towers are custom-built. Will I even notice this? It it just going to be an option I have to remember to turn off in the BIOS when I'm setting up the OS, or will I have to jump through fifteen hoops to sign my custom kernels every time Linus releases an rc?

Re:Let me predict the future here. (2)

betterunixthanunix (980855) | about 2 years ago | (#40231691)

It will be released but not all the hardware vendors will sign on

Why would a hardware vendor turn down an opportunity to:

  1. Create the sort of DRM'ed "media center" computer that the MPAA drools over?
  2. Rake in cash from an app store?
  3. Slash their tech support department by controlling the software people are allowed to install?

That is where this is going. We are just seeing the first step of a major attack on user freedom here.

GPL v3 (3, Interesting)

M. Baranczak (726671) | about 2 years ago | (#40231287)

Doesn't this violate the "anti-Tivo" clause of GPL v3? Sure, the kernel is still on v2, but the system can't run without all the v3 stuff.

This will not stand, man.

Re:GPL v3 (2)

jonwil (467024) | about 2 years ago | (#40231491)

Under secure boot, user-space code that talks to hardware will be banned (otherwise it could open a hole in the secure boot logic) and all kernel-mode code is GPLv2 anyway. None of the normal user-space code needs to be signed (so the clauses in GPLv3 dont matter)

In A Bind (1)

EXTomar (78739) | about 2 years ago | (#40231293)

Red Hat needs to research and make sure they are compatible with new and changing tech and UEFI is clearly one they need to make sure RH software works with. There are valid application for signed systems like this (think stuff like ATM) so making sure Linux works and even signed and validated to boot isn't a bad idea. But as we already suspect the general desktop environment isn't a good place UEFI should be used which is what people are afraid is going to happen.

I haven't delved deep into the details of UEFI but as long as the restrictions are only to boot valid signatures then RH and any other Linux should be fine and might even be desirable in some deployments. In fact a strong argument could be made that getting Linux and BSD onto these platform helps "keep them honest". Red Hat should be allowed to do this and we should continue to inspect RH's source which is a good goal brought about by Open Source. If it turns out that Red Hat does this and is not allowed to be entirely open about it then that would be the red flag but not before then.

Tempest in a teacup? (2)

Monkey-Man2000 (603495) | about 2 years ago | (#40231305)

For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.

If this is possible, can't any random distribution just ask the user to self-register their own keys for their hardware at installation time? I guess it depends on when the self-registration occurs and how it's done, which is not clear to me.

Re:Tempest in a teacup? (1)

Lehk228 (705449) | about 2 years ago | (#40231499)

People are getting their knickers all twisted because 'The Man' might one day prevent self registered keys. I guess MS might do this in the future if they really wanted to have another round of antitrust proceedings. In the meantime UEFI will let you verify your boot image against rootkits and other such badness (would be nice if you could force deregister all other keys too, not sure if it can)

Re:Tempest in a teacup? (1)

vlm (69642) | about 2 years ago | (#40231681)

In the meantime UEFI will let you verify your boot image against rootkits and other such badness

False sense of security, unless you think keys and serial numbers have never, ever, been distributed over the internet or stolen by crooks, or for some odd reason that popular activity would suddenly stop.

UEFI will be easier to own because of the users false sense of security. "I bought me a UEFI secured system, therefore I'm unrootable so I've got nothing to worry about" "(Click on some website)" "(owned)"

Reminds me of the discussions about "windows serial number activation key" things around/over a decade ago. Well, that's the end of piracy, blah blah blah. Didn't really turn out that way, did it.

Re:Tempest in a teacup? (2, Informative)

Anonymous Coward | about 2 years ago | (#40231695)

People are getting their knickers all twisted because 'The Man' might one day prevent self registered keys. I guess MS might do this in the future if they really wanted to have another round of antitrust proceedings.

For ARM-based systems, 'The Man' has already prevented self-registered keys for any Windows 8 certified machine. See the last link in the summary from Matthew Garrett (a Red Hat engineer).

Re:Tempest in a teacup? (0)

Anonymous Coward | about 2 years ago | (#40231527)

yes. did you read http://mjg59.dreamwidth.org/12368.html . but that adds a whole extra step to the installation, that may be different depending on the BIOS vendor.

the distros have a choice. make the install more complicated. create a key try to get each manufacture to ship it by default (this would cost a lot of time and probably money). or pay as small fee to make everything just work (for people who are happy with the distro's official kernel).

Re:Tempest in a teacup? (1)

Monkey-Man2000 (603495) | about 2 years ago | (#40231669)

Thanks for the link, but I don't think it directly addressed my point. The exception may be this statement though:

The third is to just disable secure boot entirely, at which point the machine should return to granting the same set of freedoms as it currently does.

If we can disable secure boot in the BIOS then we're back to where we are now in terms of running Linux/BSD. You just can't dual-boot into Windows 8. That seems like something I can live with. :) On a side-note, this situation does make me wonder how Windows 8 will be able to run in virtual machines.

Just say 'No' (3, Insightful)

Anonymous Coward | about 2 years ago | (#40231315)

I won't buy any PC or motherboard with UEFI unless it can be disabled - and I will actively search for machines that refuse to implement UEFI at all. Frankly, this is a quisling move by RedHat. Microsoft bullied the PC manufacturers into this anti-freedom technology. Now RedHat is directly supporting Microsoft by paying into their protection racket. Before you know it, every computer will require a 'legitimate' - government/oligopoly authorized operating system. Just say 'No' to RedHat because they are giving money to a system that is sliding down that slippery slope toward removing your freedom to use your devices as you wish.

what about severs? (1)

Joe_Dragon (2206452) | about 2 years ago | (#40231351)

A lot of web severs run Linux.

Re:what about severs? (1)

bleedingsamurai (2539410) | about 2 years ago | (#40231547)

Yes.
But all the ones currently running on PC compatible platforms do not use UEFI secure boot.

When it comes time to buy new hardware, webhosts can chose to put their money into other platforms like SPARC. Maybe in a few years ARM will have some offerings in the server range. RISC is the way to go anyways.

Re:what about severs? (0)

Anonymous Coward | about 2 years ago | (#40231555)

you can put your own key onto the server, and remove any others that the OEM put on. now the server will only run code that you have signed yourself. handy, eh?

Re:Just say 'No' (4, Interesting)

gregthebunny (1502041) | about 2 years ago | (#40231489)

Agreed! This is an opportunity for us to protest with our wallets. Not only will I be actively pursuing non-UEFI motherboards, but I will also be actively campaigning my colleagues, coworkers, friends, and family to not buy non-UEFI machines as well. Microsoft is trying to fix a system that isn't broken. They shouldn't have to rely on securities at the hardware and BIOS level to lock down their new operating systems. They should just, you know, build a more secure operating system...

Re:Just say 'No' (0)

Anonymous Coward | about 2 years ago | (#40231619)

This is an opportunity for us to protest with our wallets.

Yeah, good luck with that. First, most of those people you try to convince won't care enough to avoid buying the UEFI mobos. But even if a few do, it still doesn't matter, because against you are endless hoards of people to whom technology is magic. They will never even be [b]aware[/b] that this issue exists, let alone have the ability to understand it or the wish to act any differently.

You're seriously confused if you believe you and the tiny, tiny set of people who care about the same things can have ANY influence over the result of UEFI being accepted by the market, just by "protesting with your wallet". You can't. This WILL be locked down, so the best that can happen is to figure out how to deal with that new world.

Re:Just say 'No' (1)

Anonymous Coward | about 2 years ago | (#40231661)

Most people don't even buy motherboards. They hardly by desktop PCs any more at all in fact, but for the few people who do, they head on down to Best Buy and buy the cheapest machine that looks like it'll meet their needs. There's nothing more to it than that. They have zero awareness of UEFI, let alone what it means, and even if they do, 99% of them want to run Windows, and they won't even notice anything unusual.

Re:Just say 'No' (5, Insightful)

a90Tj2P7 (1533853) | about 2 years ago | (#40231743)

Secure boot, which is what you're concerned about, is just a feature in UEFI. Which has been the BIOS replacement for years. It's not new, it's not an MS creation, and it's not limited to secure boot. Saying you won't buy any PC or mobo that has UEFI because of secure boot is like saying you won't buy any with BIOS if it doesn't have overclocking settings.

Re:Just say 'No' (0)

Anonymous Coward | about 2 years ago | (#40231565)

Yes, YOU will do that, and I probably will too, and about three other people. But it doesn't matter. 99.999% of the market has absolutely no clue why we're mad, and they don't care as long as they can get to Farmville and Facebook and Twitter.

Re:Just say 'No' (4, Insightful)

a90Tj2P7 (1533853) | about 2 years ago | (#40231675)

Replace "UEFI" with "BIOS" in your first sentence and see how it sounds. Because that's what it is. It's not some MS feature or add-on, not some kind of evil conspiracy, it's the new BIOS. And it's not that "new". And part of the Windows 8 certification requirements for x86_64 systems is that the secure boot feature, which also isn't an MS invention, can be disabled. So that address your concern about buying PCs and motherboards that won't let you disable the feature you actually have a problem about.

So many stupid people.. (0)

Anonymous Coward | about 2 years ago | (#40231321)

You're an idiot if you think that other options were not considered first.

This is the only current way that it can be made work NOW for the current user. Red Hat step up to the plate and investigate it early and the slashdot has an illinformed whine.. can't please some people...

"Good Faith" (3, Insightful)

clonehappy (655530) | about 2 years ago | (#40231323)

I'm not going to invoke Godwin, but *lots* of things start out as being "good-faith initiatives". I know UEFI has tons of advantages over a standard BIOS, and I'm a flat-earther for wanting to stick with the old tried and true methods, but anything that takes away control over hardware I own, especially anything that takes control and gives it to a multinational corporation, I'm passing right over.

And I assume plenty of other tech-minded people will do the same, and the system will fade off into the sunset.

Re:"Good Faith" (0)

Anonymous Coward | about 2 years ago | (#40231567)

Just to be clear, there's nothing *innate* to UEFI that requires these keys. My Mac, for example, boots using UEFI and can have arbitrary x86 (or x86-64) operating systems installed on it if I so choose.

This secure boot initiative is *entirely* Microsoft's doing. They're trying to leverage their faltering monopoly into a market where their competitors have to pay them for the privilege of being able to sell their own products. (Sadly, I'm *not* expecting anti-trust consequences for this. Not because it isn't deserved, but because I'm too jaded to think it's actually going to happen.)

Re:"Good Faith" (0)

Anonymous Coward | about 2 years ago | (#40231697)

Corruption and inertia will prevent any action. In addition, the Sherman Anti-Trust Act does not forbid monopoly, only the use of one monopoly to gain another. A 'Desktop OS' monopoly being used to gain a 'Desktop OS' monopoly is not illegal, and depending on interpretation, extending it from desktops to portable computers to mainframes may not be illegal either...

Re:"Good Faith" (1)

a90Tj2P7 (1533853) | about 2 years ago | (#40231807)

This secure boot initiative is *entirely* Microsoft's doing. They're trying to leverage their faltering monopoly into a market where their competitors have to pay them for the privilege of being able to sell their own products. (Sadly, I'm *not* expecting anti-trust consequences for this. Not because it isn't deserved, but because I'm too jaded to think it's actually going to happen.)

Or maybe because it makes very little sense. MS didn't create secure boot, and they don't control it or the licensing for it. They want it turned on for Windows 8 certified machines, with their key loaded in. Another OS source can run their own licensing server if they wanted the cost and responsibility, they can provide their own keys if they want the hassle of giving the users instructions on how to load it manually, or they can just ignore the feature altogether if they're ok with leaving that vulnerability open when people disable the feature (on x86 systems) to install their software. MS doesn't control secure boot licensing. They just added the option to piggyback through them as an inexpensive convenience, which they don't even profit from since the entire $99 goes to Verisign.

Re:"Good Faith" (0)

Anonymous Coward | about 2 years ago | (#40231591)

then you can just put your own key on your computers, and it will only run stuff signed by you.

Re:"Good Faith" (0)

Anonymous Coward | about 2 years ago | (#40231613)

Yep. It'll go away just like HDCP did...

"not a guaranteed right" (4, Insightful)

mjg59 (864833) | about 2 years ago | (#40231341)

As the author of the linked article, things have somewhat changed since then - the language in the hwcert docs makes it clear that the hardware can be configured into a state where keys can be added. Is it a guarantee? No, but it's as close as is possible to get in the technology world.

haha scrubs enjoy your developer fee! (-1)

Anonymous Coward | about 2 years ago | (#40231357)

all the linux wankers used to bitch about the 99$ fee to join the Apple Developer program!

Analogy to DVDs and CDs? (1)

vlm (69642) | about 2 years ago | (#40231389)

I wonder if there is an analogy to DVDs and CDs... If you want to use the Genuine DVD logo on your shiny disk you have to follow eighty bazillion rules, at least some of which suck, and at least some of which are great ideas but people who suck don't want to do the right thing.

The logo people thought no one would ever buy round shiny disks without their holy logo of obligation inscribed upon it. Why the nerve of those barbarians to even suggest such a gauche idea as selling a shiny disk without our word of power.

Solution, ship your shiny round disk the way you want, without the Genuine Official Copyrighted Trademarked DVD logo. The consumers don't care, they just pop a round shiny disk in the player and it works, at least most of the time.

I'm trying to figure out if something like this could happen with UEFI, somehow.

Another option is the death of the preinstalled microsoft OS. If the legal barrier is just too high, start shipping free systems. Preinstalls suck and are absolutely sickeningly riddled with bloatware anyway, so first step is always to wipe the preinstall. The proverbial grandma won't be able to handle installing windows, I guess she will stick with the Ubuntu preinstall and probably not even notice the difference.

The real problem is (2)

Mojo66 (1131579) | about 2 years ago | (#40231507)

..that almost every PC comes with Windows pre-installed in conjuction with Microsoft abusing this monopoly despite all the anti-trust affairs.

I know the M$ fanboys will point at Apple and their iOS devices, but the big difference is that Apple does not force other smartphone manufacturers to put iOS on their hardware, whereas PC manufacturers have to pay for not putting Windows on their PCs.

Given those circumstances, the fact that I'd have to pay $99 in order to install my own private Linux distro on my own private PC is just crazy.

"good faith" can change (1)

Anonymous Coward | about 2 years ago | (#40231517)

Even if this is indeed a "good faith" initiative, what difference does *that* make? The tools for locking down and controlling all computing are being put in place, one small step at a time. When that "good faith" goes away in the future, the tools will not know the difference; they can be used in good faith or bad faith alike.

It's much like giving a genuinely good leader draconian legal powers. (S)HE may used them wisely to do actual social good, but in a hundred years when you have a despot at the helm, he'll have the same draconian things available.

FUCKING stupid (5, Insightful)

inode_buddha (576844) | about 2 years ago | (#40231533)

"Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative."

Fucking STUPID. Since when in their entire history has Microsoft ever done anything in "good faith"?? Morons! *ALL * you need to do is read a few court cases...

"your owns keys is certainly not a guaranteed" (1)

l3v1 (787564) | about 2 years ago | (#40231689)

"your owns keys is certainly not a guaranteed"

If I can't use a custom kernel and I can't load custom drivers, than there's no way anyone could convince me this UEFI/SB and the related signing misery is the way to go. I couldn't care less that some distros can sign their kernels and drivers and you can use those, because that essentially would imply a lock-in to a specific company's version - thanks but no thanks. Of course I can imagine how some companies would like it that way.

JUST SAY NO! (1)

Gim Tom (716904) | about 2 years ago | (#40231699)

The only way for us to keep UEFI from being on every MOBO is to JUST SAY NO

Don't buy a PC with UEFI and don't even try to keep one running when it craps out.

Re:JUST SAY NO! (0)

Anonymous Coward | about 2 years ago | (#40231897)

Just look at him. Isn't he sweet believing in the power of the 'free market'?

Manipulation and FUD. (1)

LWATCDR (28044) | about 2 years ago | (#40231747)

"From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right."
Okay chicken little the sky is falling.
Really? You can turn off the security settings in UEFI. Will you in the future? No but that is a slippery slope argument. The simple fact is that UEFI offers a layer of security that many users may welcome. As long as the end user can turn it off I am fine with it.
Now on the Windows ARM platform it can not be turned off which is just evil and should be looked into as a violation of anti-trust. Of course if you really hate the idea that is fine also. What is stupid is complaining that Red Hat paid the $99 fee. That like saying that a kid should stand up to a gang of bullies instead of giving them his lunch money even if they will beat him to a pulp.

Re:Manipulation and FUD. (1)

bongey (974911) | about 2 years ago | (#40231879)

Does getting the Microsoft to sign your key allow booting to ARM arch? If so not an issue , if they cannot get it signed then there is a big issue
I can see as for mobile systems requiring secure boot as good thing. Being a mobile platform it would be really easy for someone to grab you mobile device and lay down another image.

For a LIMITED TIME (1)

brad-x (566807) | about 2 years ago | (#40231749)

I'm assuming no one has yet noticed that the $99 fee is not going to last forever. From Microsoft's sysdev portal: [microsoft.com]

Microsoft is pleased to announce that, for a limited time, VeriSign is offering the ‘Microsoft Authenticode’ Digital Certificate at a substantially reduced price by following the link below.

Moreover as others have mentioned here, it's not guaranteed that any hardware manufacturers will include the capability to register one's own keys. I certainly haven't heard of any yet.

Just ask Flame developers (3, Funny)

luizd (716122) | about 2 years ago | (#40231781)

C'mon, it is very easy to solve the problem. Uses them same Microsoft CA that Flame worm is using.

SecureBoot is more a "reduce users power to change OS" than "protect from malwares", as Flame proved.

The Red Hat Wizard Falls Under Sauron's Spell (1, Interesting)

quarkscat (697644) | about 2 years ago | (#40231785)

UEFI is an OEM Software Vendor's bald-faced grab at monopoly power. Microsoft would be the key generator. Redhat would pay Microsoft a one-time fee per user machine, which RH figures likely to be a one-time $99 fee. This charge would be per machine, not per user, as it is likely that no 2 computers on the same network can have the same key. How many linux users not running servers would be willing to pay their OEM Linux Software Vendor an extra $100 over the current cost of that software per machine? What impact would this have on the number of desktop linux users? How many would forego any switch from the Microsoft OS pre-installed for an extra additional $100, per machine?

IIRC, when Microsoft first began trying to compete with Server Software against the the Big Iron Server Vendors, flexibility in number of connected clients, and owning the HW and the SW license was considerably cheaper than an annual HW & SW service agreement. Digital Equipment, Silicon Graphics, and Sun Microsystems are gone, Microsoft has so much influence over HW manufacturers that an effort was made to rein in competition. Control of the UEFI Boot AUTH Key by a self-avowed SW monopoly would appear to, in one fell swoop, destroy a segment of the Desktop OS competition AND create a robust new revenue stream at the same time. The crony corporatists are greedy vampires, as one named John D. was quoted as saying "Competition is a sin."

So, which recently topping $1 Billion in revenues OEM SW Vendor just climb into bed, figuratively speaking, with Microsoft? Red Hat? Gee whiz, I wonder how many of Red Hat's plethora of desktop linux competition, or for that matter, any *nix-like OS Vendor would care for their product to be automatically boosted in price by $100 (minimum) to establish an UEFI Boot AUTH Key "Associate" account with Microsoft? When is More Evil just too much?

Free market capitalism, by definition, should be operating on a level playing field of regulation and enforcement. The greater and greater concentration of economic power and influence in the hands of fewer and fewer corporations is hardly an indication of a vibrant free market. But that is a symptom of corporatism, and when government is in alliance with those crony corporate interests instead of the general well-being of all taxpayers, it is called corporate socialism also sometimes known as national socialism or fascism.
   

Re:The Red Hat Wizard Falls Under Sauron's Spell (5, Informative)

a90Tj2P7 (1533853) | about 2 years ago | (#40231903)

UEFI is an OEM Software Vendor's bald-faced grab at monopoly power. Microsoft would be the key generator. Redhat would pay Microsoft a one-time fee per user machine, which RH figures likely to be a one-time $99 fee. This charge would be per machine, not per user, as it is likely that no 2 computers on the same network can have the same key.

I couldn't make it through the first paragraph without hitting ridiculous levels of FUD. MS isn't the key generator. They're not even the generator of their own key. The license isn't per-machine, it's per-source/vendor. There's no kind of per-machine restriction, in any way, shape or form.

Enthusiast systems (1)

ZorinLynx (31751) | about 2 years ago | (#40231823)

Even if this comes to pass for companies like Dell and HP, I doubt the "enthusiast" system builders like Asus and Gigabyte will be locking down their motherboards. After all these are machines frequently built and tweaked from the ground up, and enthusiasts won't buy them if they're locked down and they have to install a specific OS version.

Microsoft has a history ... (1)

mbaGeek (1219224) | about 2 years ago | (#40231847)

the big concern is that Microsoft has a history of not playing well with others, but that was with Bill Gates running the show

Steve Ballmer (who dropped out of Stanford's business school to join Microsoft - i.e. he is a "businessman" in the good sense) is probably a little less cut-throat (or inclined to "compliance with raised middle finger") than Bill Gates - which is obviously just my opinion - and I'd gladly work for either Microsoft or Red Hat (I've used both company's software for years, but I'm not religious about either)

anyway, I'm still not convinced that "UEFI" is the next big thing, I'm willing to listen/try it - but taking a "trust but verify" attitude toward the whole thing

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...