On 31/05/12 7:32 PM, Edward M wrote: > Hi, > > > I fully dont understand the approach that may be taken as workaround to > USFI Secure Boot for Fedora: > > The last option wasn't hugely attractive, but is probably the least > worst. Microsoft will be offering signing services through their sysdev > portal <http://sysdev.microsoft.com>. > It's not entirely free (there's a one-off $99 fee to gain access), > but it's cheaper than any realistic alternative would have been. It > ensures compatibility > with as wide a range of hardware as possible and it avoids Fedora > having any special privileges over other Linux distributions. > If there are better options then we haven't found them. So, in all > probability, this is the approach we'll take. Our first stage bootloader > will be signed with a Microsoft key. So, The boot process on EFI without secure boot is EFI firmware | v grub(2) | v kernel With secure boot, it will run something like this Efi firmware (signed and validated by hardware). This holds the MS public keys, and verifies the signature of then next bootloader | v First stage bootloader, Signed by the MS keys. This contains the Fedora Keys, and will check the signature of the next stage. | v Grub(2). This is signed by the fedora keys. It checks the signature of the kernel against the fedora keys. | v Kernel If grub2 were loaded directly from firmware, every time grub2 was updated, it would need to be submitted to MS for signing. This would take time, and create hassles. The reason that a first stage bootloader is needed, is that Grub 2 is updated somewhat frequently. By having a small, static first stage loader which contains the fedora keys, this means that it is less frequent that this will need replacing, and more over, does not need resigning by microsoft every time a grub2 update occurs. In theory, the only time the First stage loader would need replacing is when the MS keys expire, when the Fedora keys expire, or when an update to this needs to occur. But of course, this would be small and simple, so updates would be infrequent, if ever. > > will I need to pay $99 to use linux,etc. what about other distros? > I know will be speculating at this point but wondering what could be the > reprecussions if this method is taken? No. I would assume the Fedora project pays the $99, and then distrubtes the signed bootloader component, with the fedora keys built in. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
