On Thursday, June 07, 2012 10:05:30 AM Larry Finger wrote:
On 06/07/2012 09:54 AM, Patrick Shanahan wrote:
- Ricardo Chung<ricardo.a.chung@gmail.com> [06-07-12 10:34]: ...
Not sure if I want to buy any new computer with those UEFI+SecureBoot implementation looking for another protection layer or taking the risk and going the way we were until no more way is allowed. It's obvious the forces are rising up to reduce options.
And, unfortunately, the security/safety of the hardware system is not probably foremost in the presenter's eyes. It most probably can be *completely* explained as someone saw an opportunity to gain control of something that they could wield to realize financial advantage.
Or it was chosen as a temporary way to harden a particular OS from Redmond that has a fundamentally flawed security model/implementation, *AND*, as an additional benefit, it causes a road block for those pesky Linux folks!
"So, The boot process on EFI without secure boot is EFI firmware | v grub(2) | v kernel With secure boot, it will run something like this Efi firmware (signed and validated by hardware). This holds the MS public keys, and verifies the signature of then next bootloader | v First stage bootloader, Signed by the MS keys. This contains the Distro Keys, and will check the signature of the next stage. | v Grub(2). This is signed by the Distro keys. It checks the signature of the kernel against the Distro keys. | v Kernel If grub2 were loaded directly from firmware, every time grub2 was updated, it would need to be submitted to MS for signing. This would take time, and create hassles. The reason that a first stage bootloader is needed, is that Grub 2 is updated somewhat frequently. By having a small, static first stage loader which contains the Distro keys, this means that it is less frequent that this will need replacing, and more over, does not need resigning by microsoft every time a grub2 update occurs. In theory, the only time the First stage loader would need replacing is when the MS keys expire, when the Distro keys expire, or when an update to this needs to occur. But of course, this would be small and simple, so updates would be infrequent, if ever." [1] Quoted from http://www.linux-archive.org/community-support-fedora-users-users- lists-fedoraproject-org/673028-need-more-info-uefi-secure-boot-fedora.html just distro name switched to make it generic. And this http://www.linux-archive.org/ubuntu-user/579319-uefi-secure- boot-4.html This is the theoretical scenario taking place other mailing lists. We, the other operating system users, are involved anyway to prevent the beginning of facto technological apartheid. No corporate excuses should be able to hijack any hardware architecture or platform to its own benefits. I found this opinion article by Sam Varghese maybe not precise but bothersome revealer inviting to reflect about the what is happening now http://www.itwire.com/opinion-and-analysis/open-sauce/55198-red-hat-deal-wit... microsoft-is-a-bad-idea We need to find a true solution with true resources to keep our community open and free to learn and sharing. Please, this is not a flame war startup and don't even try it! Regards, -- Ricardo Chung | Panama Linux & FOSS Ambassador openSUSE Projects -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org