Good Bye Fedora
|
Author | Content |
---|---|
nmset Jun 07, 2012 2:28 AM EDT |
Even if secure boot can be disabled, this is totally unacceptable. It's a friendly agreement between two US companies to control every PC on the planet and nothing more ! Downstream risks like viruses are not answered by this secure boot lock-in. |
BernardSwiss Jun 07, 2012 2:51 AM EDT |
Not even wrong. |
nmset Jun 07, 2012 4:10 AM EDT |
We'll see what the rest of the world will say about this hijacking. Will state authorities require from vendors that their hardware cannot deprive the citizen from freedom of choice ? I mean, will the ability to disable secure boot be a requirement for selling hardware in any country ? Will secure boot enabled by default be seen by state authorities as an anti-competitive measure ? Vendors are not obliged as per efi specifications, as far as I understood, to allow disabling secure boot. |
linux4567 Jun 07, 2012 9:02 AM EDT |
I'm very disappointed that they insist with the lie that 'crippled boot' will do anything to enhance security. They conveniently forget to mention that this alleged security depends on a closed-sourced blob (the UEFI/BIOS) and a key that they have no control over, so this is a pure illusion of security. I can't believe Redhat is either that naive or is knowingly deceiving their customers... |
Fettoosh Jun 07, 2012 9:44 AM EDT |
Quoting:Downstream risks like viruses are not answered by this secure boot lock-in. I was under the impression that it does, I guess I was wrong. If that is the case, it really isn't worth all the trouble. And why wouldn't be something that users can switch on & off? Does MS know better than what the user wants and should have? I believe this is something really dangerous and we won't know its danger until later on in the future and when it is too late. I don't use Fedora and waiting to see what Kubuntu is going to do. I don't buy from standard OEM computers any more. I either buy from manufactures (newegg no OS, foxcon, etc) or build my own. |
Bob_Robertson Jun 07, 2012 10:24 AM EDT |
> Does MS know better than what the user wants and should have? I will assume that this was merely a rhetorical question. |
CFWhitman Jun 07, 2012 10:35 AM EDT |
Quoting:I was under the impression that it does, I guess I was wrong. It can defeat rootkits, but not other kinds of malware. It stops altered versions of an operating system kernel from booting. Basically, though, all it really does is stop unapproved kernels from booting. That could be a fine thing when the user is the approval authority. I don't want to have to appeal to Microsoft to approve my operating system, though. |
jacog Jun 07, 2012 10:39 AM EDT |
I have some faith in the hacking community here. Deep in a dark basement somewhere, there's a lone crusader who has never seen the sun, who right at this very moment is on the verge of finishing his/her mighty UEFI buster program. |
caitlyn Jun 07, 2012 10:55 AM EDT |
Quoting:I can't believe Redhat is either that naive or is knowingly deceiving their customers...It's not a Red Hat thing. Linux Torvalds is a supporter of UEFI. It most certainly isn't a Microsoft-Red Hat partnership to control computing. I have concerns but, please, the hyperbole and the-sky-is-falling hysteria benefits nobody. |
penguinist Jun 07, 2012 11:21 AM EDT |
@jacog: Yes, there will be exploits found to break locked boot loaders on PCs, but is this the future we want for ourselves. Let's think about the situation we now have with mobile hardware and extrapolate that to PCs. I bought an HTC evo 3D a while back and its boot loader was locked. A hack was found and it eventually was opened. Only after that was I able to install the tools that permitted me to secure my phone. In the mobile space we have this cat and mouse game going on between vendors desiring to lock out users, and users wishing to have control over the products they bought and use. I really really really don't want to see this cat and mouse game propagate into the PC space. |
tuxchick Jun 07, 2012 11:30 AM EDT |
Ew, mealymouth Red Hat:Quoting: Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative. |
JaseP Jun 07, 2012 11:37 AM EDT |
RedHat is hardly "mealymouthed." They have been just about the only Linux Distro vendor not to roll over when threatened with patent suits, etc. I think they really believe UEFI secure boot is a viable technology, if imperfect in it's implementation. I think they truly believe M$ will play nice in this sphere, if for no other reason to avoid antitrust problems. |
caitlyn Jun 07, 2012 11:38 AM EDT |
For all those who are upset at Red Hat, please answer this: What was the alternative? What would have happened if the Linux community stood up against UEFI and it went ahead anyway? |
nmset Jun 07, 2012 11:47 AM EDT |
Quoting:Torvalds is a supporter of UEFI 1. The problem is not UEFI but the secure boot aspect of UEFI. 2. http://kerneltrap.org/node/6884 He called it there "the other Intel brain damage". In any case, the platform owner's freedom is at stake here. Most buyers won't even know how much they may get locked-in with OEM hardware. |
Fettoosh Jun 07, 2012 11:50 AM EDT |
Quoting:I will assume that this was merely a rhetorical question. They all are. :-) |
linux4567 Jun 07, 2012 12:10 PM EDT |
> Ew, mealymouth Red Hat Exactly, the way RH is trying to brandmark critics as conspiracy lunatics is a very dirty move and it shows they are struggling to defend their decision with rational arguments against the overwhelming negative feedback on Linux forums all over the internet. I'm very, very disappointed with Redhat, I always had them as the only major corporation that was holding up the principles of FOSS unconditionally, but their decision to support 'cripple boot' and the way they are defending themselves now has left a very bitter taste in my mouth. |
nmset Jun 07, 2012 12:16 PM EDT |
<quote> What would have happened if the Linux community stud up against UEFI and it went ahead anyway?</quote> Its' only how MS compels defaulting to secure boot on OEM vendors the problem. The manufacturers may not give the choice to disable secure boot and they are not required to do so. Would you run your Fedora/Red Hat host without ever recompiling a kernel ? How would you sign it ? If you can disable secure boot on OEM hardware, you can still use UEFI and work normally as nowadays. Moreover, the OEM vendor is not obliged to allow the buyer to install his own keys in the UEFI stuff. If you fear rootkits that much, you could sign your kernel youself. It all depends on what options OEMs allow. We know that MS can influence them much, even politicians, so hardware manufacturers... ! |
Fettoosh Jun 07, 2012 12:16 PM EDT |
In previous comments I faulted Red Hat for rushing into a solution that includes MS. Including MS can never be but dangerous. But, could it be that Red Had is purposely doing that to trigger more interest in finding a solution before it is too late? After all, they did say this isn't final and open to suggestions. May be including MS was mostly to demonstrate how dangerously serious it could get if nothing was done about it before hand and MS ends up making the decision for us all. Just thinking. |
CFWhitman Jun 07, 2012 12:19 PM EDT |
Quoting:For all those who are upset at Red Hat, please answer this: What was the alternative? What would have happened if the Linux community stud up against UEFI and it went ahead anyway? At this point the alternative is to make do with the other solutions (something that most distributions will have to do anyway). Those are: 1. Ask users with a Secure Boot capable UEFI firmware to disable Secure Boot before installing any operating system other than the one(s) their computer has a key for in its list. 2. Take advantage of systems that allow users to add their own Secure Boot keys to the list on their computer. Of course, by naming it "Secure Boot" Microsoft is also giving the impression that disabling it is a security risk, so users should think twice before installing this other operating system that compromises the security of their computer. Secure Boot doesn't actually stop your system from being compromised, though, it only stops it from running once a particular type of compromise (a rootkit) has happened. That actually could help stop some malware from propagating as quickly. The problem is that Secure Boot can't really tell the difference between malware and legitimate software. Secure Boot will not only stop you from installing alternative systems like Linux or BSD. It could also easily end up stopping you from installing newer or older versions of Windows than the one that came with the machine. |
Bob_Robertson Jun 07, 2012 12:29 PM EDT |
I'm pretty sure this has already been answered, but I missed it. People talk about having to sign the OS kernel, but wouldn't the firmware be irrelevant once past the boot loader? So wouldn't it be GRUB/LILO that's needing to be keyed? |
caitlyn Jun 07, 2012 12:46 PM EDT |
@Bob_Robertson: Yes. @CFWhitman: You are assuming OEMs will produce hardware that either doesn't have UEFI or allows users choices. I don't make such an assumption. I assume Microsoft will strong arm OEMs to make sure that their hardware is 100% locked in to Windows-the-latest. Does anyone remember what happened with ASUS at Computex in 2009? Their lovely little Snapdragon (ARM) powered EeePC that they apologized for showing? A Microsoft VP was on stage for that apology. How about IBM's testimony during the DOJ's pursuit of Microsoft? Anyone else remember how OS/2 really died? How about HP? Their Linux laptop/netbook offerings disappeared the day Windows 7 was releases. Does anyone believe that was a big coincidence? I didn't think so. Red Hat had two options: cut a deal or get locked out of the desktop market entirely. Considering many of their enterprise server customers also demand a desktop product that reduced their options to one. |
nmset Jun 07, 2012 12:48 PM EDT |
@Fettoosh If you must use RedHat kernel binaries without the ability of running a self-compiled kernel, what does open source means ? How is it still relevant ? These binaries may contain trojans specially delivered to you if you work on sensitive data. It's really a conspiration, perhaps blessed by the DOD, CIA, MI6... who knows... Security remains a paranoid affair and the situation is already alarming. |
caitlyn Jun 07, 2012 12:50 PM EDT |
You would not have to use Red Hat kernel binaries and the kernel source will still be open. Geez! Welcome to panic and misinformation central. Bob_Robertson got it right: the key has to be in the bootloader, not the kernel. Otherwise it will be pretty darned easy to bypass this entire mess. |
nmset Jun 07, 2012 1:02 PM EDT |
@caitlyn
According to http://mjg59.dreamwidth.org/12368.html kernel and modules will have to be signed Fedora won't give away their signing keys (logical) Not only the bootloader is signed. And that's a Fedora Guru writing on how Fedora will implement secure boot. No we are not in Daisy land ! |
Fettoosh Jun 07, 2012 1:12 PM EDT |
Quoting:People talk about having to sign the OS kernel,... I thought the OS would have some sort of a way to communicate with UEFI or have its own application CA list. Or is that a future feature?! Does anyone have good information on how this whole thing is being implemented by MS, if it had been released? |
JaseP Jun 07, 2012 1:25 PM EDT |
Quoting: Does anyone have good information on how this whole thing is being implemented by MS, if it had been released? Uhmmm,... Badly?!?! |
Bob_Robertson Jun 07, 2012 1:49 PM EDT |
> Uhmmm,... Badly?!?! That's a given. |
CFWhitman Jun 07, 2012 2:34 PM EDT |
Quoting:You are assuming OEMs will produce hardware that either doesn't have UEFI or allows users choices. No, I'm not assuming anything; I'm just listing the alternatives. Remember that most Linux distributions will not have the option to purchase a key from Microsoft. However, it is true that Microsoft has promised that OEMs will be allowed, even encouraged, to make Secure Boot an option in CMOS for x86/amd64 based UEFI systems. Of course a promise like that doesn't mean much coming from a large corporation like Microsoft. On the other hand, it's fairly certain that the demand for Linux is not going to disappear overnight because of the release of Windows 8. There will be companies that produce hardware that will support Linux. The problem is that there is no reason for Secure Boot to be an issue you should have to worry about, but they are making it one. By the way, my current home desktop system has UEFI firmware. It's not UEFI that's the problem; it's very specifically the Secure Boot feature that is problematic. |
cr Jun 07, 2012 5:01 PM EDT |
Quoting: Remember that most Linux distributions will not have the option to purchase a key from Microsoft. It should be easy enough to buy cheap workarounds off the warez 'n' crax market within a couple of weeks of release. |
caitlyn Jun 07, 2012 5:04 PM EDT |
Read the IBM testimony from the DOJ case. They were given a choice: drop OS/2 or never receive a copy of Windows at any price. They almost went with OS/2 but the PC Company convinced upper management that would be suicidal for their business. The 11th hour compromise was that IBM would no longer market OS/2 or provide ISV support, effectively dooming the OS.Quoting: On the other hand, it's fairly certain that the demand for Linux is not going to disappear overnight because of the release of Windows 8.What if Microsoft told a manufacturer that their desktop (not server) hardware will run Windows 8 exclusively or they would never be able to buy Windows again. How many would cave in? All of them. Considering there is precedent for Microsoft doing exactly that I am not sanguine about the availability of hardware that will run Linux without hacking. |
caitlyn Jun 07, 2012 5:05 PM EDT |
Quoting:It should be easy enough to buy cheap workarounds off the warez 'n' crax market within a couple of weeks of release.That's fine for individual users. Linux distributors would be opening themselves up for legal action in a big way. |
nmset Jun 07, 2012 5:40 PM EDT |
Hmmm. caitlyn, you seem to have close relationship with RedHat, your posts are not objective and do not sweat 'straightness', a compiler would sparkle lots of errors at these ! |
BernardSwiss Jun 07, 2012 8:50 PM EDT |
@CFWhitman Quoting: At this point the alternative is to make do with the other solutions (something that most distributions will have to do anyway). Those are: If 'option # 2' was something we could actually count on, we wouldn't have a problem. And we should be able to. But we can't. It's perfectly sensible that MS would insist that Win 8 systems be shipped with "Secure Boot" mode enabled -- that could rightly be labelled a "sane default". And it's fine that "Secure Boot" can be disabled (for x86 only though, not ARM). That's also sensible. But MS has very cleverly and very sneakily and with malice aforethought (does anybody familiar with Microsoft's history think MS did this 'inadvertently' or without full understanding of the competitive implications?) made absolutely no mention of UEFI Secure Boot key management in its formal specifications for Win 8 certification. -- -- -- -- -- I think that the clinching detail is that Microsoft appears to have co-opted the terminology, managing to re-frame the issue, successfully labelling the sensible, full, managed-key UEFI implementation as "Custom Mode" (!) and the Windows-only Secure Boot implementations as "Standard Mode". Perhaps it would be an effective tactic to refuse this framing -- pointing out if necessary the biased re-labelling that Microsoft has been so cleverly pushing -- and consistently call them by more sensible terms, instead, such as "User Mode" or perhaps "Managed Mode", versus "Microsoft Mode" or "Custom Microsoft Mode", or "Microsoft 'Default' Mode... |
CFWhitman Jun 08, 2012 10:23 AM EDT |
I want to be clear here that I am not saying that Red Hat didn't have to do this because there are alternatives and everything will be hunky dory. I'm only saying that what Red Hat is doing is not a solution for the problem in any way.Quoting:What if Microsoft told a manufacturer that their desktop (not server) hardware will run Windows 8 exclusively or they would never be able to buy Windows again. How many would cave in? All of them. That may or may not be a problem with OEMs (it's the type of thing that could draw anti-trust attention, though, particularly in Europe). Regardless, there are motherboard manufacturers who do not want to lose out on component sales to do-it-yourselfers, and there is no practical way to make Secure Boot an absolute necessity when selling computers as components because the array of operating systems involved is too unpredictable (even when you are talking about only different versions of Windows). There will be places you can get computers. As I said before, though, there should be a very set way of dealing with Secure Boot issues so that users won't have a problem, but Microsoft is not pushing things in the right direction. Microsoft feels that they can get away with enforcing Secure Boot on ARM devices because no market for unlocked devices has been established so far (the other ARM device makers are doing essentially the same thing). To an extent, though, I think that Secure Boot is an attempt to put the genie of custom software installations back into the bottle, and I don't think it will hold up in the end (I just think it will cause a lot of headaches in the meantime). Eventually, there will be a significant amount of unlocked ARM hardware on the market (there already is some). It will gradually become harder to convince the geek market (the core of the computer sales market) that they don't want unlocked hardware. |
caitlyn Jun 08, 2012 5:00 PM EDT |
@nmset: Thanks for the false accusations. I have not had any relationship at all with Red Hat since November, 2005. Perhaps you are the one who can't accept a view other than yours and assume it must be bias. It isn't. |
BernardSwiss Jun 08, 2012 6:44 PM EDT |
Quoting: What if Microsoft told a manufacturer that their desktop (not server) hardware will run Windows 8 exclusively or they would never be able to buy Windows again. How many would cave in? All of them. MS won't actually say that -- if only because they simply don't need to. Margins are thin enough, (and for that matter, Branding strong enough) that not qualifying for co-marketing funds, "Windows 8 certified" logos and stickers, etc, makes for a pretty heavy hit on an OEM's bottom line. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!