Mailinglist Archive: opensuse (924 mails)

< Previous Next >
Re: [opensuse] Re: Re: UEFI
  • From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
  • Date: Fri, 26 Oct 2012 17:01:55 -0400
  • Message-id: <CAGpXXZJh8wTaAuEDH6pt5GGVOH=+ypMeC0VUzzH5U4oiKx4G4g@mail.gmail.com>
Watch out for weeds below. If you don't want to get into the weeds,
stay out of this email


On Fri, Oct 26, 2012 at 1:06 AM, JtWdyP <jtwdyp@xxxxxxxx> wrote:

It would appear that on Oct 24, Greg Freemyer did say:

The keys themselves are public, but you as the hardware owner will
have to approve keys being added to public key database and therefore
ensure you are only adding public keys for entities you trust.

"trust"??? OK if I'm supposed to add keys based on trust, how to subtract
Microsoft???
{snicker}

Actually I'm wondering about this:

These public keys are effectively embedded in the kernel code somehow right?

No, the private key is used to sign the kernel. That is sort of like
creating a zip file, but using a compression algorithm that is unique
to the private key. The matching public key is used to verify the
matching private key did the signing.

The public key is often very public. There are PGP public key servers
where you can get lots of people's public PGP keys. The issue with
them is if the public key server says its my key, how do you really
know its mine and not a bad guy pretending to me and putting his own
public key on the public key server.

That's where circles of trust come from. (I know John, and John
assures me that it's Tom's public key he gave me.)

Or would it be possible for knowledgeable PC owner, to create his own "trust"
key set.

Yes, anyone can create key pairs typically. What costs money is to
get a certified key pair. So if I create my own key pair, I can tell
the world I'm Bill Gates, but it I want to get a key pair from
Verisign saying I'm Bill Gates, then I have to prove to them I really
am Bill Gates before they issue the certified key pair.

(My wife used to be a issuer of certified key pairs. She required a
passport etc. be FedEx'ed to her before she would do it. Then FedEx
back out the key pair and the passport.)

And then use it to "sign" an existing, older, formerly unsigned
kernel.

I assume you can do that, but I don't know if DOS will even run a
signed kernel. Remember the kernel typically has to be pulled out of
the signed container. Don't know how you would do that with 2012 and
before operating systems.

Thus it may be that openSUSE 12.2 and older will never run with UEFI
Secure Boot systems. (We are beyond my knowledge at this point.)

Then as PC Owner, add that key... {You see where I'm going with this
right?}

If the SUSE secure boot module is opensource (like I assume it is)
then I'm sure a version to do what you propose would be easy to make.
Then put it on a boot CD and your set.

If there is value, then solutions like this will be easy to find I'm sure.

And if so, is there any reason that technique couldn't be used to
install and run something like dos? {I have a couple of antique games you see}

I'm just not sure how that would actually work. You'd be better off I
suspect to run those in a VM.

--
JtWdyP

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups