Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Ex-Red Hat Employee Matthew Garrett Comments On the State of XMir

mjg59 Re:Poor Mattthew Garrett (88 comments)

I stopped working on Ubuntu because decisions were increasingly being made internally rather than anywhere that volunteer contributors could influence them. The "Click here to instantly break your mouse" thing was just the final straw. There's a component to the story that involves beer and a hilarious reply vs. reply all error on an iPhone, but I don't remember it being about anyone siding with Scott - there's a picture somewhere of me deactivating my Ubuntu membership a few minutes after sending https://lists.ubuntu.com/archives/ubuntu-devel/2008-February/025141.html , which hardly gave them time to.

1 year,20 days
top

Samsung Laptop Bug Is Not Linux Specific

mjg59 Re:Does windows crash if it has 0 temp space or 0 (215 comments)

I'm sorry, you're right - I was under the impression that overcommit_memory defaulted to permissive rather than heuristic allocation. However, overcommit_ratio is also ignored by default.

about a year and a half ago
top

Linux Foundation's Secure Boot Pre-Bootloader Released

mjg59 Re:This is bollocks (178 comments)

"Setup mode" is part of the UEFI specification. You can add any keys you want to while you're in it.

about a year and a half ago
top

Samsung Laptop Bug Is Not Linux Specific

mjg59 Re:Does windows crash if it has 0 temp space or 0 (215 comments)

You can malloc() as much as you want until you run out of address space. That's 3GB on 32-bit systems, no matter how much RAM you have. Things will only go wrong if you attempt to use it for anything.

about a year and a half ago
top

Samsung Laptop Bug Is Not Linux Specific

mjg59 Re:Not even a brick, not a story (215 comments)

Removing the CMOS battery didn't recover this system, which is pretty much what I'd expect - UEFI variables are typically stored in the same hardware as the firmware itself, and unplugging batteries doesn't kill your firmware.

The system doesn't fail to boot. The system doesn't even complete its power-on self checks. The screen is never turned on. It never responds to keyboard input. It's bricked. This machine's not coming back to life without an SPI programmer.

about a year and a half ago
top

UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions

mjg59 Re:Samsung UEFI (185 comments)

Yes, but Windows requires signed drivers.

about a year and a half ago
top

New Secure Boot Patches Break Hibernation

mjg59 Re:Conceptually.. (196 comments)

Disabling secure boot means you can easily lie to the OS about whether or not secure boot is enabled.

about a year and a half ago
top

New Secure Boot Patches Break Hibernation

mjg59 Re:Conceptually.. (196 comments)

If it were an anti-piracy measure then there wouldn't be a requirement for you to be able to disable it.

about a year and a half ago
top

New Secure Boot Patches Break Hibernation

mjg59 Re:Conceptually.. (196 comments)

The kernel can execute ring 0 instructions. Your initrd can't. The difference is that you could construct an appropriately modified hibernation image that booted an arbitrary kernel - or even an entirely separate OS. In that scenario, your kernel is effectively a new bootloader, except unlike the signed bootloaders it'll happily boot an entirely unsigned OS. That's unlikely to end well.

But, conceptually, you're right. Secure Boot doesn't magically make a system secure, but it *is* a vital part of system security - if you can't trust your kernel, any other security you attempt to build is pretty much pointless.

about a year and a half ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:What problem does it solve? (210 comments)

You don't need an exploit or a kernel patch. You just need to replace the firmware's function pointer to GetVariable(), which is a thing you can do because you're running untrusted code in the firmware context. The OS has no way of knowing that you're doing that.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:What problem does it solve? (210 comments)

"The GetVariable() call returns a decryption key that the hardware calculated"

No it doesn't. It returns a 1 if the firmware claims to have booted securely, and a 0 if not. You're thinking of Measured Boot, not Secure Boot.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:What problem does it solve? (210 comments)

Please describe how Windows can accurately determine whether it was booted in Secure Boot mode or not. For an encore, describe how Trusted Computing can limit the code you can boot. As far as I know, single machine local attestation is an unsolved problem.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:What problem does it solve? (210 comments)

How does Windows know whether it was booted in secure mode? It makes the EFI GetVariable() call. Which is a function pointer handed to it by the firmware. Which you can modify if you're running untrusted code. So, no, Windows can't tell.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:Restricted Boot by definition insecure (210 comments)

If you were a serious virus writer you'd already want to use the Microsoft CA to sign your rootkit so you can install it as a signed driver in Windows. Secure Boot moves the vulnerability down the stack, but even now a compromised Microsoft signing key is still massively desirable to virus authors.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:So then they're fine with Windows 8 (210 comments)

Microsoft have told me that they'll revoke certification for any vendor who doesn't provide the appropriate options. If you have examples of machines that have certification and which don't allow any modification of the key database, let me know so we can find out if they were telling the truth.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:So then they're fine with Windows 8 (210 comments)

You've linked to a story about a traditional MBR bootkit that doesn't even run under UEFI. Secure Boot is, as far as anyone knows, not yet cracked.

about 2 years ago
top

FSF Does Want Secure Boot; They Just Want It Under User Control

mjg59 Re:What problem does it solve? (210 comments)

It's not DRM. You can turn it off in the firmware and there's no way for the OS to know that you did.

about 2 years ago

Submissions

Journals

mjg59 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?