El jue, 07-06-2012 a las 11:32 +0200, Marcus Meissner escribió:
On Wed, Jun 06, 2012 at 09:23:40PM -0400, Andrew Joakimsen wrote:
I am not sure about the intricate details about UEFI but could the bootloader be signed and then that executes an unsigned kernel?
This would kind of defeat the purpose... Then anyone could take this bootloader and boot everything.
It will get the certificate revoked quite fast (although I do not how they do it).
Ciao, Marcus
Marcus has described one of the issues by creating this workaround. Signing with an universal key and creating a bootloader able to boot any operating system disable the secureboot purposes. Secure Boot itself may not be a bad idea just not mature enough to be a Good neighbor for the software industry (there is plenty issues, keys capacity, who is going to manage the keys, how to disable it, etc...) Just in the case UEFI has a way to disable SecureBoot (not in ARM): One of the issues is how many keys is needed by year. If community software is released at least twice a year. Does it mean we need to sign twice? So it means 2 x $99= $100 per year (one key per release). Even worse one key per any customized software image. Just figuring it out. It is speculative. Another approach is one key per distro. There is a lot distros and operating systems. The UEFI+SecureBoot is not able to handle many signed keys. So many distros will not run in the machine concomitantly (Virtualized is not impacted). It makes life very hard to Software Testers and Software Switchers. You would need to install one signed key per distro released to be able to boot it each time) This is a very complex issue with multiple levels and channels affected. This is only the Iceberg tip. Not sure if I want to buy any new computer with those UEFI+SecureBoot implementation looking for another protection layer or taking the risk and going the way we were until no more way is allowed. It's obvious the forces are rising up to reduce options. Regards, -- Ricardo Chung | Panama Linux Ambassador openSUSE Projects -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org