Re: Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thibault Nélis writes:


Again, you are assuming that Microsoft will sign off on the concept of
signing a shim, and going forward, it's the wild-wild West.

Not going to happen.


Well why wouldn't they?
Because that makes the entire concept of a trusted boot, into a trusted operating system, moot. 

They are not that dumb.
This will enable a piece of PC hardware to boot an operating system, then run virus code that boots Windows' bootloader, infecting it, and bypassing the protection benefits that a trusted bootloader chain allegedly offers.
At some point, they have to trust the people developing the software, and not the software itself. In essence, the shim is like a certificate (since it's signed by Fedora implicitly via the package management system).
If the shim enables anyone to execute any code they wish, "on bare metal", it makes the entire concept of trusted boot completely and totally moot. 

Which is why it's not going to happen.


No, it wouldn't. Why the frak should I ask anyone for permission to run
my own software on my own computer? Can you explain that concept to me?


Well, we agree, so just sign it yourself, there's no problem here.
Sure, I can sign it. Except that Fedora will refuse to run it, because it's not signed by their key.
And, if there's a process by which my own signing key acquires the magical pixie dust, that does not involve, in any way whatsoever, any outside party giving their stamp of approval, that blows the entire boot loader trust chain wide open. 


So you have to do the logical thing, generate a personal key and sign
your own stuff with it.


But I can't do that. Only Fedora key's signed stuff will run.
Yes you can. You have to go up the chain. The top is the firmware, where you'll put your key, then sign your own shim with it. 

This is the pie in the sky.

This part, is not going to happen. Microsoft will make sure of that.
For now, the only trust broker is Microsoft (actually, we now know that Verisign is somehow involved since they will receive the payments; and they are arguably less biased). Microsoft/Verisign currently ask $100 for the signatures. Every time an attacker's malware is detected and blacklisted, it would have to pay $100 to a trust broker to get a new signature.
And how exactly would a piece of hardware would have the ability to revoke a certificate?
If the malware is signed, the malware will have the ability to prevent the firmware from accessing whatever network-based facilities are needed to pull in a certificate revoke chain.
You should cool down, BTW. That's just the slashdot effect, everyone suddenly likes to hate and revolution sounds cooler than ever, but it will pass.
You should, perhaps, spend a few minutes actually thinking it logically through.
If Microsoft will sign the key that enables loading a free and open operating system, this will defeat their own trust boost chain, by side- stepping it. 

Which is why they won't.
They will only sign a bootloader that loads a closed OS kernel. Fedora will never get a signed bootloader, this is for RHEL.
Now, from all the reading I've done on the subject, the only thing I found was a kill switch that OEMs must install to completely disable trusted bootloading.
I do not recall anyone mentioning any OEM that will enable a user to install their own bootloader signing keys, alongside with Microsoft's.
Can you point me to any OEM that indicated that they will make hardware that implements user-installed keys?
As I said, I've opened a betting pool. Initially, I bet 1,000 quatloos that Fedora's bootloader will not be signed a year down the road, after this whole circus gets running.
I'm going to throw in another 1,000 quatloos on a different bet. Microsoft will also require OEM's boot firmware to be signed by Microsoft's key, in order for a Microsoft OS to boot off it. Otherwise, the user will be greeted with a nicely-rendered message that their hardware is incompatible.
And Microsoft will not sign a firmware image that will accept user-installed keys. 

You really think that any OEM will fight this? Why should they?
There goes your pipe dream, of being able to install your own keys into the firmware. Not going to happen.

Attachment: pgp67lI6zfOCI.pgp
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux