Mailinglist Archive: opensuse-project (271 mails)

< Previous Next >
Re: [opensuse-project] Thoughts on the UEFI fee?
  • From: Pascal Bleser <pascal.bleser@xxxxxxxxxxxx>
  • Date: Wed, 6 Jun 2012 20:57:19 +0200
  • Message-id: <20120606185719.GO16816@hera>
On 2012-06-06 11:04:14 (-0500), Bryen M Yunashko <suserocks@xxxxxxxxx> wrote:
On Wed, 2012-06-06 at 16:31 +0200, oldcpu wrote:
Pony up the $99 would be my view also, although that worries me. Can
be
certain this will be a one time $99 fee and not an 'in for a penny,
in
for a pound' type rabbit hole ?

out there, it seems that the $99 wouldn't be a one-time thing, or I'd
say just pay it and let's get on with our lives.

If I'm reading correctly, kernel variations and even customized images
created with SUSEStudio might be affected. Maybe I'm wrong, but if I'm
reading it right, this is a $99 tax on anyone who wants to create custom
images.

That said, if we can't get around it, I guess we have to figure out how
to deal with it head on. That's what we should be discussing here on
the Project ML. How to "react" to this from a political or social
position. But if there's an actual technical solution, then it probably
should be discussed on -Factory ML.

For as far as I've skimmed over the UEFI boot topic, the deal is
to actually have one of the vendors who have their CA
certificate in the PC vendors' trust store to sign images.

It seems to me to be essentially the same as when you want a TLS
certificate for e.g. doing HTTPS: you send a request to a root
CA (Certificate Authority) (such as Verisign, Thawte, ...), pay
a fee, and they send you back your certificate, signed by them.

In the same way as e.g. Verisign's CA certificate (which is used
to verify that _your_ certificate has been signed by their
private key) is included in all the CA certificate bundles (by
Mozilla for Firefox, by Google for Chrome, by Opera for Opera,
for the operating system, ...), Microsoft's CA certificate (or
its technical equivalent in UEFI) is included and, hence,
trusted, by hardware vendors.
I don't know whether there are other CAs that can be asked to
sign our openSUSE release images though.

So, about "one time or not": it is one time for each openSUSE
release image we want to be installable on hardware that uses
UEFI.

For custom images, such as those created by SUSE Studio, it's
toast, indeed.

Haven't checked the details about what is verified by the UEFI
bootstrap though.

(For those who want details about how the signing and CA stuff
works, read up on X.509, PKI and asymmetric cryptographic (such
as RSA or ECC)).

cheers
--
-o) Pascal Bleser
/\\ http://opensuse.org -- we haz green
_\_v http://fosdem.org -- we haz conf
< Previous Next >
This Thread
Follow Ups