| 1 |
Am 02.06.2012 15:00, schrieb Michael Mol: |
| 2 |
> On Sat, Jun 2, 2012 at 3:43 AM, Florian Philipp <lists@×××××××××××.net> wrote: |
| 3 |
>> Am 02.06.2012 04:26, schrieb William Kenworthy: |
| 4 |
>>> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html |
| 5 |
>>> |
| 6 |
>>> and something I had not considered with the whole idea was even bootable |
| 7 |
>>> cd's and usb keys for rescue will need the same privileges ... |
| 8 |
> |
| 9 |
> [snip] |
| 10 |
> |
| 11 |
>> Okay, enough bashing the article. Some technical question: As I |
| 12 |
>> understand it, if I want to make a live CD or a distribution, all I'd |
| 13 |
>> need to do is to use Fedora's kernel and boot loader? That's not so bad. |
| 14 |
> |
| 15 |
> Or turn off 'secure boot' in the BIOS configuration menu. |
| 16 |
> |
| 17 |
> For Windows 8 certification, a device must _default_ to 'secure boot' |
| 18 |
> being turned on. You're allowed to turn it off, you just can't have |
| 19 |
> programmatic access to turn it off; it has to be done manually. |
| 20 |
> |
| 21 |
|
| 22 |
Yes, that was my point (or part of it). The main issue is usability for |
| 23 |
the technically not so inclined. For the typical Gentoo user secure boot |
| 24 |
is not an issue is no more trouble than changing the boot order to boot |
| 25 |
from CD-ROM. For mainstream distros like Ubuntu or Fedora, it is an |
| 26 |
issue. But they can afford to spend 99$ *once* to just get a valid key. |
| 27 |
|
| 28 |
> I expect that'll be available in things like motherboards sold |
| 29 |
> directly to end-users. I expect it *won't* be available in whatever |
| 30 |
> the current iteration of Compaq/HP/Packard Hell all-in-one devices is; |
| 31 |
> manufacturers of those devices will still have keys installed to allow |
| 32 |
> debugging and maintenance tools to operate, but their signed tools |
| 33 |
> would only be available to their certified technicians. |
| 34 |
> |
| 35 |
|
| 36 |
As I understand it, having the chance to deactivate it is now mandatory |
| 37 |
for Windows certification but I could be wrong. |
| 38 |
|
| 39 |
> Does anyone know what crypto hash they're using to sign these things? |
| 40 |
> I imagine it won't be too long (3-4 years, tops) before either the |
| 41 |
> signing key leaks or collision attacks are figured out. |
| 42 |
> |
| 43 |
|
| 44 |
According to [1] it is SHA-256 and RSA-2048. If I understand it |
| 45 |
correctly, there are means to blacklist compromised keys. That's why |
| 46 |
Fedora cannot simply share their key but they will share their |
| 47 |
infrastructure and tools. |
| 48 |
|
| 49 |
[1] http://www.uefi.org/learning_center/UEFI_Plugfest_2011Q4_P5_Insyde.pdf |
| 50 |
|
| 51 |
Regards, |
| 52 |
Florian Philipp |
Archives