Mailinglist Archive: opensuse (924 mails)

< Previous Next >
[opensuse] Re: UEFI
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


It would appear that on Oct 23, Greg Freemyer did say:

On Tue, Oct 23, 2012 at 11:05 AM, Mark Hounschell
<markh-n2QNKt385d+sTnJN9+BGXg@xxxxxxxxxxxxxxxx> wrote:

Does this mean we won't be able to run any kernels other than opensuse
kernels?

Quick answer (that I expect most kernel hackers to use):

The spec calls for x86 PCs to have a bios option to disable UEFI Secure Boot.

With that disabled, you can do what you please.

I do hope that's what happens. But when I googled the secure boot topic about
a week ago I got the distinct impression that: while the spec allows for that
on x86 PCs, I read something that indicated the spec fell short of actually
requiring that the manufacturer actually include the means to do so...

The supposed risk was that the manufacturer might be able to build it slightly
cheaper if they don't. And that some of them might not see the marketing
advantage of playing nice to multi-booters.

And it occurs to me that they might rather that more Linux users start need to
buy their own *_new_* PC rather than being able to reuse some Windows user's
old PC {when it's time for win 8 users to upgrade to the next version}

So I got to ask, just how sure are you about that {disable secure boot} option
being implemented by ALL manufacturers???

And even if it is, what are the odds that it would require well timed user
intervention {similar to pressing some Fkey at the right point in the boot
process to enter a bios config utility} each and every time the user wants to
boot something that isn't signed by an accepted key??

Long answer (which assumes Secure Boot is enabled):

This is linux. The SUSE team is doing its very best to make sure you
are still in control. Fortunately, they are also contributing their
solution to openSUSE.

Hopefully you know about private and public keys. Private keys are
used to sign, public keys to authenticate. (You will not have access
to the openSUSE private key, so you won't be able to sign kernels with
it.)

Yeah, Just barely well enough to use gpg to sign or encrypt something...
But how this relates to signing kernels is beyond my understanding.

opensuse is developing an open/extensible solution that will leverage
their private key by installing their public key into a Secure Boot
key database.

If you have a true need to sign your own kernels, then I assume you
can get a copy of the extensible Secure Boot module that openSUSE is
developing and use it to install your own public key to the secure
boot key database. Then you will need to sign your kernels with your
private key.

I expect that a true kernel hacker would be up to that. But what about those
of us who just like the choice of being able to choose to boot one of the
other small distro's now and then?? I'm not ready for a new PC yet anyway. But
when I am, I would greatly appreciate it if OpenSuSE's solution would allow me
to use OpenSuSE's grub menu to also boot other Linux. including those that
haven't the resources to have their own secure boot solution. {Without
requiring that I have hacker grade skill levels.}

Speaking of other Linux though: Even assuming that I only wanted to multi-boot
major distro's that have secure boot strategies in place, will it be possible
to have one secure boot loader chainload another with a different secure boot
strategy?? (I heard that Ubuntu {for example} isn't even going to use grub2 on
UEFI systems due to anticipated legal problems with the GPLv3 license)

My preference has for a long time been to keep one manually updated version of
grub on a separate grub partition installed to the MBR, And to let each one of
several installed Linux install their own automatically managed boot loaders
to their own "root" partitions. That way I can easily use my own pet names for
the menu choices of the entries I manually update {such as "kid's Linux" for
the one with *_only_* rated G wallpapers installed} AND also have generic
chainloader entries to use whenever I didn't find the time to update it after
a kernel change... I was hoping that I could simply let OpenSuSE install it's
bootloader to whatever passes for the MBR on an UEFI system. And them learn
how to use the stuff in /etc/grub.d to get customized menuentry to be listed
before the automatically generated ones... But I doubt it will be that easy.

#############################################################
##_if_you'd_prefer_an_clearsigned_".asc"_text_file_of_this_##
##message_as_an_mime_encoded_attachment,just_ask_me_while__##
##it's_STILL_IN_my_outbox_folder_._._._=+=+=+=+=+=+=+=+;-)_##
#gpg sig for: Joe (theWordy) Philbrook DSA key ID 0x6C2163DE#
# You can find my public gpg key at http://pgpkeys.mit.edu/ #
#############################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlCIB2sACgkQRZ/61mwhY95z6gCfT9RB28CA8II1ZCCLFV1ERwyj
S1wAoLxtBVWmC0X/Xek5UYpHyVfasgZy
=C9Vx
-----END PGP SIGNATURE-----

--
| ~^~ ~^~
| <?> <?> Joe (theWordy) Philbrook
| ^ J(tWdy)P
| \___/ <<jtwdyp@xxxxxxxx>>
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups