[opensuse] Re: Re: UEFI
It would appear that on Oct 24, Greg Freemyer did say:
The keys themselves are public, but you as the hardware owner will have to approve keys being added to public key database and therefore ensure you are only adding public keys for entities you trust.
"trust"??? OK if I'm supposed to add keys based on trust, how to subtract Microsoft??? {snicker} Actually I'm wondering about this: These public keys are effectively embedded in the kernel code somehow right? Or would it be possible for knowledgeable PC owner, to create his own "trust" key set. And then use it to "sign" an existing, older, formerly unsigned kernel. Then as PC Owner, add that key... {You see where I'm going with this right?} And if so, is there any reason that technique couldn't be used to install and run something like dos? {I have a couple of antique games you see} -- JtWdyP -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Watch out for weeds below. If you don't want to get into the weeds, stay out of this email On Fri, Oct 26, 2012 at 1:06 AM, JtWdyP <jtwdyp@ttlc.net> wrote:
It would appear that on Oct 24, Greg Freemyer did say:
The keys themselves are public, but you as the hardware owner will have to approve keys being added to public key database and therefore ensure you are only adding public keys for entities you trust.
"trust"??? OK if I'm supposed to add keys based on trust, how to subtract Microsoft??? {snicker}
Actually I'm wondering about this:
These public keys are effectively embedded in the kernel code somehow right?
No, the private key is used to sign the kernel. That is sort of like creating a zip file, but using a compression algorithm that is unique to the private key. The matching public key is used to verify the matching private key did the signing. The public key is often very public. There are PGP public key servers where you can get lots of people's public PGP keys. The issue with them is if the public key server says its my key, how do you really know its mine and not a bad guy pretending to me and putting his own public key on the public key server. That's where circles of trust come from. (I know John, and John assures me that it's Tom's public key he gave me.)
Or would it be possible for knowledgeable PC owner, to create his own "trust" key set.
Yes, anyone can create key pairs typically. What costs money is to get a certified key pair. So if I create my own key pair, I can tell the world I'm Bill Gates, but it I want to get a key pair from Verisign saying I'm Bill Gates, then I have to prove to them I really am Bill Gates before they issue the certified key pair. (My wife used to be a issuer of certified key pairs. She required a passport etc. be FedEx'ed to her before she would do it. Then FedEx back out the key pair and the passport.)
And then use it to "sign" an existing, older, formerly unsigned kernel.
I assume you can do that, but I don't know if DOS will even run a signed kernel. Remember the kernel typically has to be pulled out of the signed container. Don't know how you would do that with 2012 and before operating systems. Thus it may be that openSUSE 12.2 and older will never run with UEFI Secure Boot systems. (We are beyond my knowledge at this point.)
Then as PC Owner, add that key... {You see where I'm going with this right?}
If the SUSE secure boot module is opensource (like I assume it is) then I'm sure a version to do what you propose would be easy to make. Then put it on a boot CD and your set. If there is value, then solutions like this will be easy to find I'm sure.
And if so, is there any reason that technique couldn't be used to install and run something like dos? {I have a couple of antique games you see}
I'm just not sure how that would actually work. You'd be better off I suspect to run those in a VM.
-- JtWdyP
Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-10-26 23:01, Greg Freemyer wrote:
I assume you can do that, but I don't know if DOS will even run a signed kernel. Remember the kernel typically has to be pulled out of the signed container. Don't know how you would do that with 2012 and before operating systems.
Thus it may be that openSUSE 12.2 and older will never run with UEFI Secure Boot systems. (We are beyond my knowledge at this point.)
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCK/SAACgkQja8UbcUWM1wUfQEAkUlAbziS07UlRMVL3mbLJWSu wLr/jAxSJk2gT7WdxacA/jlkB5r2alNNEFEBssOLPgHzifbuMxpx63xTrwDFxQHH =0GEC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Oct 26, 2012 at 5:14 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2012-10-26 23:01, Greg Freemyer wrote:
I assume you can do that, but I don't know if DOS will even run a signed kernel. Remember the kernel typically has to be pulled out of the signed container. Don't know how you would do that with 2012 and before operating systems.
Thus it may be that openSUSE 12.2 and older will never run with UEFI Secure Boot systems. (We are beyond my knowledge at this point.)
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both.
Remember, the SUSE team wants to enhance the functionality of secure boot, not bypass it. Just using a signed version of Grub would not provide any security over disabling Secure Boot.
From the blog:
https://www.suse.com/blogs/uefi-secure-boot-plan/ == At the implementation layer, we intend to use the shim loader originally developed by Fedora – it’s a smart solution which avoids several nasty legal issues, and simplifies the certification/signing step considerably. This shim loader’s job is to load grub2 and verify it; this version of grub2 in turn will load kernels signed by a SUSE key only. == That is misleadingly simple, but you get the idea. The more detailed blog post is here: https://www.suse.com/blogs/uefi-secure-boot-details/ Feel free to dive in, but the "goal" is to extend secure boot thru grub2 to such that only signed kernels can be booted. If you don't want that, turn it off. (Will Windows 8 run with Secure Boot disabled? I don't know.) Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
It would appear that on Oct 26, Greg Freemyer did say:
Feel free to dive in, but the "goal" is to extend secure boot thru grub2 to such that only signed kernels can be booted.
If you don't want that, turn it off. (Will Windows 8 run with Secure Boot disabled? I don't know.)
Yeah, turn it off. That would be *_MY_* plan anyway... But from the moment I first heard of this Secure Boot thing, I've had one concern about the way "turning it off" may be implemented. I suspect that most manufacturers will implement a means for a human to disable it for the current boot cycle. Though I'm not so confident that there will also be a means to save the disabled state for future boots. In principle I'm don't find the idea of having to repeat that selection on every boot offensive. However I'm concerned about the logic switch having a narrow window of opportunity, like getting into the bios set-up screen on a bios machine. I have had a bios machine where that was difficult. I can't remember anymore which key it wanted, but let's say it was "F2" Pressing it before it started listening was pointless. And I didn't have fast enough reflexes to wait for the on screen message about which key and still get it pressed before it was done listening. Nor did it work to just hold the key down. What I wound up doing was to start tapping on it about twice per second within one second after pushing the on button. And continue tapping until I saw either the bios screen or grub's first message. I found that it didn't usually take more than 3 reboots before one of my keytaps would be accepted... -- | ~^~ ~^~ | <*> <*> | ^ JtWdyP | \___/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Oct 27, 2012 at 2:44 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both.
FWIW, I found this @ Linux Foundation. <http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source> Still LF is paying MS for a key for use by the rest of us. -- Arun Khan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 28 Oct 2012 21:14:36 +0530 "Arun Khan (অরুণ খান্/अरुण खान)" <knura9@gmail.com> wrote:
Still LF is paying MS for a key for use by the rest of us.
It is mentioned few times in comments on statements like yours that Verisign will be paid, not Microsoft. -- Regards, Rajko. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Oct 30, 2012 at 7:58 AM, Rajko <rmatov101@charter.net> wrote:
On Sun, 28 Oct 2012 21:14:36 +0530 "Arun Khan (অরুণ খান্/अरुण खान)" <knura9@gmail.com> wrote:
Still LF is paying MS for a key for use by the rest of us.
It is mentioned few times in comments on statements like yours that Verisign will be paid, not Microsoft.
OK they have appointed an agent (Verisign) to handle this. Thanks for pointing it out. When I buy a bus ticket, the fare collected by the agent goes to the authority that runs the bus transport system. -- Arun Khan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Oct 31, 2012 at 10:16 AM, "Arun Khan (অরুণ খান্/अरुण खान)" <knura9@gmail.com> wrote:
On Tue, Oct 30, 2012 at 7:58 AM, Rajko <rmatov101@charter.net> wrote:
On Sun, 28 Oct 2012 21:14:36 +0530 "Arun Khan (অরুণ খান্/अरुण खान)" <knura9@gmail.com> wrote:
Still LF is paying MS for a key for use by the rest of us.
It is mentioned few times in comments on statements like yours that Verisign will be paid, not Microsoft.
OK they have appointed an agent (Verisign) to handle this. Thanks for pointing it out.
You might want to check your facts before writing such nonsense. MS is not a certificate authority, and so can not 'appoint an agent' to handle it. At best, MS would be paying Verisign for their services just like LF is. But who knows, or cares, which certificate authority MS is paying (or even if they have established their own, but one which has no market share, which is hardly plausible)? There are a small number of globally accepted certificate authorities, of which Verisign (owned by Symantec) is the largest. According to Wikipedia, " the market for SSL certificates, a kind of certificate used for website security, is largely held by a small number of multinational companies. This market has significant barriers to entry since new providers must undergo annual security audits (such as WebTrust for Certification Authorities) to be included in the list of web browser trusted authorities. More than 50 root certificates are trusted in the most popular web browser versions. A 2009 market share report from Net Craft as of January of that year determined that VeriSign and its acquisitions (which include Thawte and Geotrust) have a 47.5% share of the certification services provider market, followed by GoDaddy (23.4%), and Comodo (15.44%). A W3Techs survey from May 2012 shows Symantec (which owns VeriSign, Thawte and Geotrust) with 43.3% market share, Comodo with 27.8% and GoDaddy with 14.2%." Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Oct 28, 2012 at 11:44 AM, "Arun Khan (অরুণ খান্/अरुण खान)" <knura9@gmail.com> wrote:
On Sat, Oct 27, 2012 at 2:44 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both.
FWIW, I found this @ Linux Foundation.
Still LF is paying MS for a key for use by the rest of us.
Interesting and I'm glad to see it, but it doesn't fundamentally change things for UEFI Secure Boot systems running openSUSE 12.3 and newer. But it does for both non-compliant systems that don't have a way to disable Secure Boot during OS installs and for older distros /operating systems that don't offer any form of Secure Boot support. As it strongly implies, a pre-boot loader is being created by the Linux Foundation and they are going through the process of getting it signed by an official Microsoft Key. That means all UEFI Secure Boot systems will see this new pre-boot loader as being properly signed. The new pre-boot loader is going to require a human is at the keyboard before it advances to the boot sequence, so it is not a panacea, especially for servers. Thus the mechanism to boot non-signed CDs/operating systems etc. becomes: - Disable Secure Boot in the bios, either one time or permanently OR - Boot via the new Linux Foundation pre-boot loader, confirm you are physically present, then continue boot process to non-signed CD/OS/etc. So if you have an new PC that you want to run old operating systems on, you should be able to install the new Linux Foundation pre-boot loader and then have it boot whatever traditional boot loader you like. The only issue is you have to be physically present whenever you boot the machine to the legacy OS. Or if you buy a new PC that does not have a way to disable the Secure Boot feature, then you can use this new pre-boot tool to boot a openSUSE install CD as an example and have it in turn install the more formal / comprehensive SUSE Secure Boot solution. That should be a one time occurrence, so having to be physically present should not be an issue. (It does raise the question in my mind of corporations which use Ghost etc. to rollout images. Not sure how that will be handled. I think I'll go ask on factory.) Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/10/12 02:44, "Arun Khan (অরুণ খান্/अरुण खान)" wrote:
On Sat, Oct 27, 2012 at 2:44 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
I think, IIRC, that it is not the kernel that is signed, but the loader, ie grub, or even some other loader that loads grub. Or both.
FWIW, I found this @ Linux Foundation.
Still LF is paying MS for a key for use by the rest of us.
-- Arun Khan
So, MS once again has got the software industry by the short and curlies and will have it so until the end of time :-( . And nobody is screaming about it. BC -- Using openSUSE 12.2 x86_64 KDE 4.10.0 & kernel 3.7.4-1 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel Corsair "Vengeance" RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX550Ti 1GB DDR5 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
"Arun Khan (অরুণ খান্/अरुण ख ान)" -
Basil Chupin -
Carlos E. R. -
Greg Freemyer -
JtWdyP -
Rajko -
Ted Byers