[opensuse-factory] Secure Boot for openSUSE - a proposal
As a followup to discussions on opensuse-project and here on opensuse-factory about secure boot, here's a proposal: Vojtech Pavlik and Olaf Kirch have written three blog posts explaing SUSE's approach to secure boot: http://www.suse.com/blogs/uefi-secure-boot-overview/ http://www.suse.com/blogs/uefi-secure-boot-plan/ http://www.suse.com/blogs/uefi-secure-boot-details/ They basically propose to enhance Fedora's solution with a way that Matthew Garrett - the Red Hat developer working on this - summarized at http://mjg59.dreamwidth.org/15818.html with "There's a post here describing SUSE's approach to implementing Secure Boot support. In summary, it's pretty similar to the approach we're taking in Fedora - a first stage shim loader is signed with a key in db, it loads a second stage bootloader (grub 2) that's signed with a key that's in shim, the second stage bootloader loads a signed kernel. The main difference between the approaches is the use of a separate key database in shim, whereas we are currently planning on using a built-in key and the contents of the firmware key database. ... "It's a wonderfully elegant solution. We've been planning on supporting user keys by trusting the contents of db, and the Windows 8 requirements specify that it must be possible for a physically present user to add keys to it. The problem there has been that different vendors offer different UI for this, in some cases even requiring that the keys be in different formats. Using an entirely separate database and offering support for enrolment in the early boot phase means that the UI and formats can be kept consistent, which makes it much easier for users to manage their own keys. I suspect that we'll adopt this approach in Fedora as well - it doesn't allow anything that our solution wouldn't have, but it does make some of them easier. Full marks to SUSE on this." What shall we do for openSUSE? Vojtech and Olaf make the proposal to use the proposed SUSE solution for openSUSE as well. Do you see any problems or enhancements for the proposal? I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I? Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le vendredi 10 août 2012 à 12:40 +0200, Andreas Jaeger a écrit :
As a followup to discussions on opensuse-project and here on opensuse-factory about secure boot, here's a proposal:
Vojtech Pavlik and Olaf Kirch have written three blog posts explaing SUSE's approach to secure boot:
http://www.suse.com/blogs/uefi-secure-boot-overview/ http://www.suse.com/blogs/uefi-secure-boot-plan/ http://www.suse.com/blogs/uefi-secure-boot-details/
They basically propose to enhance Fedora's solution with a way that Matthew Garrett - the Red Hat developer working on this - summarized at http://mjg59.dreamwidth.org/15818.html with
"There's a post here describing SUSE's approach to implementing Secure Boot support. In summary, it's pretty similar to the approach we're taking in Fedora - a first stage shim loader is signed with a key in db, it loads a second stage bootloader (grub 2) that's signed with a key that's in shim, the second stage bootloader loads a signed kernel. The main difference between the approaches is the use of a separate key database in shim, whereas we are currently planning on using a built-in key and the contents of the firmware key database. ... "It's a wonderfully elegant solution. We've been planning on supporting user keys by trusting the contents of db, and the Windows 8 requirements specify that it must be possible for a physically present user to add keys to it. The problem there has been that different vendors offer different UI for this, in some cases even requiring that the keys be in different formats. Using an entirely separate database and offering support for enrolment in the early boot phase means that the UI and formats can be kept consistent, which makes it much easier for users to manage their own keys.
I suspect that we'll adopt this approach in Fedora as well - it doesn't allow anything that our solution wouldn't have, but it does make some of them easier. Full marks to SUSE on this."
What shall we do for openSUSE? Vojtech and Olaf make the proposal to use the proposed SUSE solution for openSUSE as well.
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
<community member hat> I'd say we should go ahead for openSUSE. </community member hat> -- Frederic Crozat <fcrozat@suse.com> SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Aug 10, 2012 at 12:48:43PM +0200, Frederic Crozat wrote:
Le vendredi 10 août 2012 à 12:40 +0200, Andreas Jaeger a écrit :
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
<community member hat> I'd say we should go ahead for openSUSE. </community member hat>
I agree as well, this looks like a very good proposal and solution for the issues involved. greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10 August 2012 11:40, Andreas Jaeger <aj@suse.com> wrote:
As a followup to discussions on opensuse-project and here on opensuse-factory about secure boot, here's a proposal:
Vojtech Pavlik and Olaf Kirch have written three blog posts explaing SUSE's approach to secure boot:
http://www.suse.com/blogs/uefi-secure-boot-overview/ http://www.suse.com/blogs/uefi-secure-boot-plan/ http://www.suse.com/blogs/uefi-secure-boot-details/
They basically propose to enhance Fedora's solution with a way that Matthew Garrett - the Red Hat developer working on this - summarized at http://mjg59.dreamwidth.org/15818.html with
"There's a post here describing SUSE's approach to implementing Secure Boot support. In summary, it's pretty similar to the approach we're taking in Fedora - a first stage shim loader is signed with a key in db, it loads a second stage bootloader (grub 2) that's signed with a key that's in shim, the second stage bootloader loads a signed kernel. The main difference between the approaches is the use of a separate key database in shim, whereas we are currently planning on using a built-in key and the contents of the firmware key database. ... "It's a wonderfully elegant solution. We've been planning on supporting user keys by trusting the contents of db, and the Windows 8 requirements specify that it must be possible for a physically present user to add keys to it. The problem there has been that different vendors offer different UI for this, in some cases even requiring that the keys be in different formats. Using an entirely separate database and offering support for enrolment in the early boot phase means that the UI and formats can be kept consistent, which makes it much easier for users to manage their own keys.
I suspect that we'll adopt this approach in Fedora as well - it doesn't allow anything that our solution wouldn't have, but it does make some of them easier. Full marks to SUSE on this."
What shall we do for openSUSE? Vojtech and Olaf make the proposal to use the proposed SUSE solution for openSUSE as well.
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
I'll be brutally honest, and admit that I don't have a huge amount of knowledge with UEFI and Secure Boot. Saying that though, having read the excellent blog posts that explained things very clearly (great job!), I too would like to see the same approach taken for openSUSE as our enterprise cousin intends. There are a couple of reasons, 1. It makes supporting things much easier and it continues the close relationship between both distros/products. 2. The fact that Red Hat's engineer that created the shim agrees and actually commends SUSE's approach kind of says volumes about the thought and finesse that has gone into the proposal. I have spoken to colleagues that are actually working on UEFI and Secure Boot about the proposal, and as such they are far better placed to pass judgement. They too think that it is a sane approach and actually somewhat clever, whith almost no draw backs. So yes, please can we see the same approach adopted for openSUSE? A decision needs to be made sooner rather than later. Regards, Andy -- Andrew Wafaa IRC: FunkyPenguin GPG: 0x3A36312F -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi; On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
What shall we do for openSUSE? Vojtech and Olaf make the proposal to use the proposed SUSE solution for openSUSE as well.
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
I say lets go ahead and thanks for leading this effort for openSUSE. Regards. -- Ismail Dönmez - openSUSE Team SUSE LINUX Products GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 10 Aug 2012 14:03:21 +0200 Ismail Doenmez <idoenmez@suse.de> wrote:
Hi;
On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
What shall we do for openSUSE? Vojtech and Olaf make the proposal to use the proposed SUSE solution for openSUSE as well.
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
I say lets go ahead and thanks for leading this effort for openSUSE.
Regards.
Sounds all good to me :) My only queries are; 1. Will alternative bootloaders eg gummiboot be implemented? 2. Will efi booting be added to the Live CD's? 3. Can we use openSUSE for the boot/efi/efi instead of SuSE (for a multibooter like me with SLE and openSUSE) -- Cheers Malcolm °¿° (Linux Counter #276890) SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 3.0.34-0.7-default up 12 days 9:28, 2 users, load average: 0.81, 0.53, 0.63 CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Aug 10, 2012 at 08:01:44AM -0500, Malcolm wrote:
1. Will alternative bootloaders eg gummiboot be implemented?
Personally, I hope so, but it would probably just be an "add-on" as no one wants to support yet-another-bootloader in the system. I've looked into adding gummiboot to the build system, and don't really want to mess with yum-bootloader, which is what has kept me from doing this.
2. Will efi booting be added to the Live CD's?
I sure hope so, with the new kernel support for EFI booting, it is be possible to do this now, it will just take some work with the "make the cd" tools to do so.
3. Can we use openSUSE for the boot/efi/efi instead of SuSE (for a multibooter like me with SLE and openSUSE)
I don't think that SUSE will rely on it, but I don't see why if you run openSUSE it wouldn't work this way. greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2012/8/10 Malcolm <malcolm_lewis@bellsouth.net>:
On Fri, 10 Aug 2012 14:03:21 +0200 Ismail Doenmez <idoenmez@suse.de> wrote:
Hi;
On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
What shall we do for openSUSE? Vojtech and Olaf make the proposal to use the proposed SUSE solution for openSUSE as well.
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
I say lets go ahead and thanks for leading this effort for openSUSE.
Regards.
Sounds all good to me :)
My only queries are;
1. Will alternative bootloaders eg gummiboot be implemented?
This is good idea that someone work on the UEFI multiboot loader manager like gummiboot with the ability to check and verify the key signing using the exported protocol from shim, then it could load and run signed efi images by user's MOK list.. If not by doing that, the gummiboot or any that kind of usage, in secure boot could only load efi images signed with keys trusted by db or KEK. The reminds me that probably grub2's efi chainloader needs a patch for using shim's verify protocol. ;) Thanks, Michael
2. Will efi booting be added to the Live CD's? 3. Can we use openSUSE for the boot/efi/efi instead of SuSE (for a multibooter like me with SLE and openSUSE)
-- Cheers Malcolm °¿° (Linux Counter #276890) SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 3.0.34-0.7-default up 12 days 9:28, 2 users, load average: 0.81, 0.53, 0.63 CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
[...] Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
Based on the feedback on this mailing list as well on opensuse-project, this is a clear "go" for the proposal. Olaf, Vojtech: Happy hacking - we look forward to the code for the next openSUSE releaes! ;) thanks, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Aug 13, 2012 at 2:16 AM, Andreas Jaeger <aj@suse.com> wrote:
On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
[...]
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
Based on the feedback on this mailing list as well on opensuse-project, this is a clear "go" for the proposal.
Olaf, Vojtech: Happy hacking - we look forward to the code for the next openSUSE releaes! ;)
thanks,
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
If I buy a Windows 8 laptop / desktop before May 2013, will I be able to install openSUSE 12.2 on it? If I buy a machine from Dell with Ubuntu on it, will I be able to install openSUSE 12.2 on it? I don't particularly like Dell hardware, but if that's the only way I can get a modern Linux besides VMware Workstation or VirtualBox, that's where I'll end up. This ancient workstation is not long for this world. I'm at the point now where I'm pricing things out. I could just let it die and live with the year-old laptop till openSUSE 12.3, I suppose. ;-) -- Twitter: http://twitter.com/znmeb; Computational Journalism Publishers Workbench: http://j.mp/QCsXOr Data is the new coal - abundant, dirty and difficult to mine. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 08/13/2012 04:29 AM, M. Edward (Ed) Borasky wrote:
If I buy a Windows 8 laptop / desktop before May 2013, will I be able to install openSUSE 12.2 on it? If I buy a machine from Dell with Ubuntu on it, will I be able to install openSUSE 12.2 on it? I don't particularly like Dell hardware, but if that's the only way I can get a modern Linux besides VMware Workstation or VirtualBox, that's where I'll end up.
This ancient workstation is not long for this world. I'm at the point now where I'm pricing things out. I could just let it die and live with the year-old laptop till openSUSE 12.3, I suppose. ;-)
For x86 architecture, the Microsoft standards require that the BIOS can disable the secure boot feature. If you get a computer with Windows 8 and secure boot, then you can always disable and load/boot Linux. Windows 8 might not boot with it disabled, but I consider that a feature, not a problem. :) Larry -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Aug 13, 2012 at 5:29 AM, M. Edward (Ed) Borasky <znmeb@znmeb.net> wrote:
On Mon, Aug 13, 2012 at 2:16 AM, Andreas Jaeger <aj@suse.com> wrote:
On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
[...]
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
Based on the feedback on this mailing list as well on opensuse-project, this is a clear "go" for the proposal.
Olaf, Vojtech: Happy hacking - we look forward to the code for the next openSUSE releaes! ;)
thanks,
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
If I buy a Windows 8 laptop / desktop before May 2013, will I be able to install openSUSE 12.2 on it? If I buy a machine from Dell with Ubuntu on it, will I be able to install openSUSE 12.2 on it? I don't particularly like Dell hardware, but if that's the only way I can get a modern Linux besides VMware Workstation or VirtualBox, that's where I'll end up.
This ancient workstation is not long for this world. I'm at the point now where I'm pricing things out. I could just let it die and live with the year-old laptop till openSUSE 12.3, I suppose. ;-)
Ed, I think the only real question is "With a new UEFI capable PC, will I be able to dual boot Windows 8 with openSUSE 12.1 and/or 12.2?" Do we know the answer to that yet? Or do we need to wait for more time to pass to figure that out? Is SUSE / openSUSE going to make any effort to back port the new UEFI compatible solution to 12.1 / 12.2 to support this? Note: Speaking for just me, I can live without that dual boot option. I seriously doubt I jump on the Win 8 bandwagon before 2014 or later. By then I can dual boot with 12.3 or 13.0 or whatever. Thanks Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Aug 13, 2012 at 06:23:59PM -0400, Greg Freemyer wrote:
On Mon, Aug 13, 2012 at 5:29 AM, M. Edward (Ed) Borasky <znmeb@znmeb.net> wrote:
On Mon, Aug 13, 2012 at 2:16 AM, Andreas Jaeger <aj@suse.com> wrote:
On 08/10/2012 12:40 PM, Andreas Jaeger wrote:
[...]
Do you see any problems or enhancements for the proposal?
I would love to tell them the openSUSE community looks forward to the SUSE implementation for the next release (12.3). May I?
Based on the feedback on this mailing list as well on opensuse-project, this is a clear "go" for the proposal.
Olaf, Vojtech: Happy hacking - we look forward to the code for the next openSUSE releaes! ;)
thanks,
Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
If I buy a Windows 8 laptop / desktop before May 2013, will I be able to install openSUSE 12.2 on it? If I buy a machine from Dell with Ubuntu on it, will I be able to install openSUSE 12.2 on it? I don't particularly like Dell hardware, but if that's the only way I can get a modern Linux besides VMware Workstation or VirtualBox, that's where I'll end up.
This ancient workstation is not long for this world. I'm at the point now where I'm pricing things out. I could just let it die and live with the year-old laptop till openSUSE 12.3, I suppose. ;-)
Ed,
I think the only real question is "With a new UEFI capable PC, will I be able to dual boot Windows 8 with openSUSE 12.1 and/or 12.2?"
Do we know the answer to that yet?
As Windows 8 hasn't shipped yet, and you are talking about a mythical machine that has yet to ship, it's a bit hard to answer that question.
Or do we need to wait for more time to pass to figure that out?
Yes. greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (10)
-
Andreas Jaeger -
Andrew Wafaa -
Frederic Crozat -
Greg Freemyer -
Greg KH -
Ismail Doenmez -
Larry Finger -
M. Edward (Ed) Borasky -
Malcolm -
Michael Chang