1 |
Am 02.06.2012 15:00, schrieb Michael Mol: |
2 |
> On Sat, Jun 2, 2012 at 3:43 AM, Florian Philipp <lists@×××××××××××.net> wrote: |
3 |
>> Am 02.06.2012 04:26, schrieb William Kenworthy: |
4 |
>>> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html |
5 |
>>> |
6 |
>>> and something I had not considered with the whole idea was even bootable |
7 |
>>> cd's and usb keys for rescue will need the same privileges ... |
8 |
> |
9 |
> [snip] |
10 |
> |
11 |
>> Okay, enough bashing the article. Some technical question: As I |
12 |
>> understand it, if I want to make a live CD or a distribution, all I'd |
13 |
>> need to do is to use Fedora's kernel and boot loader? That's not so bad. |
14 |
> |
15 |
> Or turn off 'secure boot' in the BIOS configuration menu. |
16 |
> |
17 |
> For Windows 8 certification, a device must _default_ to 'secure boot' |
18 |
> being turned on. You're allowed to turn it off, you just can't have |
19 |
> programmatic access to turn it off; it has to be done manually. |
20 |
> |
21 |
|
22 |
Yes, that was my point (or part of it). The main issue is usability for |
23 |
the technically not so inclined. For the typical Gentoo user secure boot |
24 |
is not an issue is no more trouble than changing the boot order to boot |
25 |
from CD-ROM. For mainstream distros like Ubuntu or Fedora, it is an |
26 |
issue. But they can afford to spend 99$ *once* to just get a valid key. |
27 |
|
28 |
> I expect that'll be available in things like motherboards sold |
29 |
> directly to end-users. I expect it *won't* be available in whatever |
30 |
> the current iteration of Compaq/HP/Packard Hell all-in-one devices is; |
31 |
> manufacturers of those devices will still have keys installed to allow |
32 |
> debugging and maintenance tools to operate, but their signed tools |
33 |
> would only be available to their certified technicians. |
34 |
> |
35 |
|
36 |
As I understand it, having the chance to deactivate it is now mandatory |
37 |
for Windows certification but I could be wrong. |
38 |
|
39 |
> Does anyone know what crypto hash they're using to sign these things? |
40 |
> I imagine it won't be too long (3-4 years, tops) before either the |
41 |
> signing key leaks or collision attacks are figured out. |
42 |
> |
43 |
|
44 |
According to [1] it is SHA-256 and RSA-2048. If I understand it |
45 |
correctly, there are means to blacklist compromised keys. That's why |
46 |
Fedora cannot simply share their key but they will share their |
47 |
infrastructure and tools. |
48 |
|
49 |
[1] http://www.uefi.org/learning_center/UEFI_Plugfest_2011Q4_P5_Insyde.pdf |
50 |
|
51 |
Regards, |
52 |
Florian Philipp |