Thibault Nélis writes:
Why Microsoft would help here is certainly a bit of a mystery at first, but as I mentioned already, they certainly fear a PR and legal nightmare,
I do not believe they fear anything like this, at all.
Tell you what. Let's revisit this, when there's a key that will boot any Linux kernel, that anyone can build themselves, and install, ok?Well the math doesn't compute here, it's cryptographically impossible. I mean you could sign a shim that won't verify the integrity of the boot
There you go.
loader, but you would gain absolutely nothing from secure boot then, it makes as much as disabling it entirely.
Let's rewind it back up a bit.The presumed purpose of a secure boot is to prevent bootloader-infecting malware.
Once that out of the way, you're done with your secure boot. Proceed as usual.
You're going meta. Who's gonna check the integrity of the firmware? Can youI tell you who: Microsoft. And their OS, when it boots. The only way to work around it, would be copyright infringement.I don't think we understand each other, I was joking. It makes little sense for the OS to check the integrity of the firmware if the firmware itself is the one thing that verifies the integrity of the OS (via the loader). I
Actually, it makes perfect sense. This is analogous to client certificate verification with TLS.
mean it's not even a real catch-22, you won't ever boot the kernel before the firmware, so this is a non-issue.
You need to put yourself into Microsoft's frame of mind.They're going in the direction of OEMs locking down their firmware to booting only Microsoft OSes. Now, the other shoe drops. In turn, some future Microsoft OS release will only boot on firmware that's signed by Microsoft's key. If it's not, the OS will refuse to boot, displaying a soothing message to the user that their hardware is incompatible.
To make it compatible, OEMs will have to pay the same $99 fee for Microsoft to sign their firmware.
Now you get it?
Anyway, that won't stop, of course, an OEM &/| Microsoft from suing anyone that produces hardware containing an image signed by a Microsoft key, but actually executes something else, that allows for an open boot.Why would they sell their OEM arrangements (in the form of loaders signed
Who said anything about selling?In the next sentence, my reference to copyright infringement was not a throwaway line. In order to boot a future Microsoft OS release, in a future version of libvirt, you will need a signed firmware image, swiped from an OEM who paid the Microsoft tax, order for the Microsoft OS to boot in your VM.
VMWare will have no issues paying a fee to Microsoft, for their VM firmware signed, of course.
PS (OT): I'm pretty confident we fell in there[1]. All in good fun though ;). At least I hope so, else I apologize. It's how it's done on the Internet.
Yeah. It's just that I see this a mile away. It's as clear a day.I have no particular passion towards Microsoft. I just want them to leave me the hell alone, that's all.
Attachment:
pgpsxyrDBiZCo.pgp
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
