Mailinglist Archive: opensuse-project (271 mails)

< Previous Next >
Re: [opensuse-project] UEFI situation
  • From: Michael Chang <mchang@xxxxxxxx>
  • Date: Wed, 27 Jun 2012 15:52:39 +0800
  • Message-id: <CAOx4COU5Q_oUu3-WjM_RGMe7=gmg_KCWDTHnBkrJiupbXxQxbw@mail.gmail.com>
2012/6/26 Tim Serong <tserong@xxxxxxxx>:
On 06/26/2012 08:03 PM, Michael Chang wrote:
2012/6/26 Tim Serong <tserong@xxxxxxxx>:

[snip]

I agree that it would be most straightforward if this were disabled by
default and those who want it could turn it on.  If most hardware comes
like that, maybe we can forget about the whole thing :)  But I worry
about new hardware with Win8 pre-installed and this thing enabled, so,
my personal opinion is as follows (sorry Per, I still think this is on
topic, at least to frame some thoughts).

1) Speaking very generally:

* UEFI secure boot helps security "somehow" (I think this has been
described well enough elsewhere).

* There will be some people who actually care and/or want it, and some
who don't care and/or don't want it.

2) Speaking more specifically:

* On x86 hardware (with the ability to disable secure boot), some people
will want it turned on, some people will want it turned off, and some
people won't know what to do with it at all and/or won't know it exists
until it bites them.

* On Win8 logo ARM hardware, it will always be on, so it doesn't matter
what anybody wants, we're stuck with it.

3) Speaking even more specifically, it seems to me that the users we
(openSUSE) have to care about are:

* x86 hardware, for users who:
 * know what it is, and want it.

Probably such user have to wait a while, considering they want a key
in firmware to have the full secure boot feature, and enjoy same
experience on Windows, something may have to be done or happen.

Note some case is for free download distribution. IMHO they are.

1. The complementary technology on linux boot path is implemented,
that is bootloader authenticate with kernel and initrd, and kernel
authenticate with loaded kernel module. The entire security mechanism
is disabled when secure boot disable. Otherwise it may not a real
secure "system" solution because the entire boot path is untrusted
after bootloader finishes. (think Window has Winqual which only load
trusted module). Matthew's blog has good explanation for this topic.

2. The UEFI tools for signing driver and key management (for ex,
manipulating authenticated variable to write signature database) are
mature and up-streamed. All distributions could leverage and support
secure boot on their own (and on their will). Otherwise the system is
still consider locked by those who is able to work with OEM on
providing the solution and most free distribution is not suppose able
to do that.

3. OEM welcome keys from free distribution, even they couldn't provide
any warranty to them. And would like to put efforts on communicating
,or even more, test and verify the key could work.

If above condition could satisfied, I think it's time to enroll key
for openSUSE. :) Or any good timing we could consider as feasible?

 * don't know what it is, and/or don't want it, and don't know how to
   turn it off (think: new users, who without secure boot support may
   not even be able to *try* openSUSE on new win8 hardware).

The currently discussion solution is aiming for such category of user
I think, they may even be scared by the warning message pops when
disabling secure boot. :)

Thanks,
Michael
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
To contact the owner, email: opensuse-project+owner@xxxxxxxxxxxx

< Previous Next >