Mailinglist Archive: opensuse-project (271 mails)

< Previous Next >
Re: [opensuse-project] UEFI situation
On 06/26/2012 08:03 PM, Michael Chang wrote:
2012/6/26 Tim Serong <tserong@xxxxxxxx>:

It probably is a PITA, but boot process attacks do exist - see for
example

I agree with matthew and UEFI secure boot could provide protect at
preboot. The question is it really a need for consumer product?
assuming we all working in Nation Defense Department and will really
appreciate this functionality?

I think it would be fine for all of us if it's a default disabled
feature, and SUSE could focus on the solution who really want this
feature enabled on the products like server or preload machines .. the
ms signing, first and second stage bootloader are aiming to get the
distro boot up from this default shipped status in sake of better user
experience, which is a bit twisted to the real purpose of secure boot
IMHO.

I agree that it would be most straightforward if this were disabled by
default and those who want it could turn it on. If most hardware comes
like that, maybe we can forget about the whole thing :) But I worry
about new hardware with Win8 pre-installed and this thing enabled, so,
my personal opinion is as follows (sorry Per, I still think this is on
topic, at least to frame some thoughts).

1) Speaking very generally:

* UEFI secure boot helps security "somehow" (I think this has been
described well enough elsewhere).

* There will be some people who actually care and/or want it, and some
who don't care and/or don't want it.

2) Speaking more specifically:

* On x86 hardware (with the ability to disable secure boot), some people
will want it turned on, some people will want it turned off, and some
people won't know what to do with it at all and/or won't know it exists
until it bites them.

* On Win8 logo ARM hardware, it will always be on, so it doesn't matter
what anybody wants, we're stuck with it.

3) Speaking even more specifically, it seems to me that the users we
(openSUSE) have to care about are:

* x86 hardware, for users who:
* know what it is, and want it.
* don't know what it is, and/or don't want it, and don't know how to
turn it off (think: new users, who without secure boot support may
not even be able to *try* openSUSE on new win8 hardware).

* ARM hardware, if we support ARM (I'd guess the people working on the
openSUSE ARM port will want this at some point, if secure boot can't be
disabled by the user).

The only users we don't need to worry about are the ones who don't want
it, and who know how to turn it off. That's probably most of the people
participating in this thread :)

Disclaimer: I'm not actually involved in writing any code to support
this thing. Please accept my apologies for that - it's been a long time
since I hacked on anything even remotely resembling a boot loader...

Regards,

Tim
--
Tim Serong
Senior Clustering Engineer
SUSE
tserong@xxxxxxxx
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx

< Previous Next >