Re: New memory tester application potentially to replace memtest86+: PCMemTest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chris Murphy wrote:
> This is such an old argument. I know you've been around in Fedora long
> enough to actually understand this stuff if you really wanted to at
> least not spread misinformation.

I do not see how I am spreading misinformation. I think you are 
misunderstanding me. I do not intend to blame Microsoft for all the issues 
with the Secure Boot spec, they are only the monopoly for the signature of 
the initial bootloader. See my reply to Neal Gompa.

> Microsoft does not approve or disapprove of operating systems. They
> have an EFI signing program for developers. They are signing just our
> shim bootloader. Fedora signs the other things in the boot chain.

Where have I claimed anything else? The fact is still that the requirement 
for Microsoft to sign the initial bootloader gives them veto power over any 
operating system running on users' computers.

And that is the one and only flaw (out of several) in the spec in which 
Microsoft is involved. The remaining issues are inherent to the spec itself.

> Anyone can enroll their own signing keys with the firmware, sign the
> bootloader, kernel and kernel modules, including 3rd party. You can
> even mix and match signed binaries. And those binaries will comply
> with a Secure Boot enabled system just fine, without having Microsoft
> signatures on anything. Yes that's tedious and it would be better if
> it were easier than it is right now.

While I appreciate that the shim developers introduced this workaround 
(IIRC, it actually comes from openSUSE developers, not Fedora or Red Hat 
developers), this is absolutely impractical compared to just disabling the 
restrictions altogether.

> Windows supports hibernation, with UEFI Secure Boot enabled. We don't
> because Linux hibernation images are inherently insecure by design and
> thus are a loophole for thwarting the Secure Boot regime.

I do not want my computer to impose a regime on me. I want to decide what I 
run on my own computer, I do not want my computer to decide for me. Say no 
to Treacherous Computing!

> Therefore a kernel lockdown policy is applied to disallow hibernation if
> Secure Boot is enabled. It can be fixed, but the resources to finish that
> work have not yet materialized.

Even that will still not fix the other restrictions inherently caused by 
this security regime.

> Literally none of this is Microsoft's fault.

I have never claimed otherwise.

> And rootkits predate UEFI.

Yet, we were running just fine all these times without something like 
"Secure Boot".

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux