Re: heads up - Secure Boot Problems for Linux Users Are Here Already

> On 1 June 2012 08:02, alan c<[hidden email]>  wrote:
>>  Time has passed.
>>  The problem has now matured, and Fedora have accepted defeat and decided to
>>  pay to be allowed to use Microsoft restricted hardware.
>>
>>  Implementing UEFI Secure Boot in Fedora Linux
>>  http://j.mp/KZykUS
>
> According to an update to that article, the money actually goes to
> verisign, and anyone can get a signing key from them for $99. So
> actually (without having looked into it any further) this looks like
> quite a reasonable solution to securing system booting in general.
>
> Anyone have any further insight?

> On 01/06/12 13:58, Matt Wheeler wrote:
> > On 1 June 2012 08:02, alan c<[hidden email]>  wrote:
> > > Time has passed.
> > > The problem has now matured, and Fedora have accepted defeat and
> > > decided to pay to be allowed to use Microsoft restricted hardware.
> > >
> > > Implementing UEFI Secure Boot in Fedora Linux
> > > http://j.mp/KZykUS
> >
> > According to an update to that article, the money actually goes to
> > verisign, and anyone can get a signing key from them for $99. So
> > actually (without having looked into it any further) this looks like
> > quite a reasonable solution to securing system booting in general.
> >
> > Anyone have any further insight?
>
> Only that Microsoft are the gatekeeper,  and can change the rules
> whenever their brass neck allows them to, as they have just done.
> Rather clever, I think. Never trust the smile on a crocodile. Or its
> love of open source.
>
> On a day to day basis, if a machine has a mainboard which has a secure
> boot 'off' switch, then that is what I will use, because I do not want
>    nor need Microsoft stuff. But if someone wants what we used to know
> as 'dual boot', then they will need to run day by day on the mainboard
> which is set FOR secure boot (for Windows 8), so the GNU/Linux OS will
> need to be suitably signed in that situation.
>
> For Ubuntu, WUBI comes to mind although I am aware that there are
> occasionally enough problems with some grub updates that I stopped
> recommending wubi  a long time ago except for very short term trials.
>
> --
> alan cocks
>
>

> On 02/06/12 15:56, Alan Bell wrote:
> any change in installation procedure means:
>       * Re-train the whole of IT,
>       * Change all training and documentation material,
>       * Update the process of how business units get servers
>         commissioned,
>       * Find a way to phase in the new process while phasing out the
>         old one,
>       * Getting confirmation from suppliers of what exact models will
>         have UEFI so that they can have clear guidance: if model A,
>         then do process 1 else do process 2,
>       * Factor in additional costs and delays for the inevitable
>         cock-ups that will happen.

> On 02/06/12 15:56, Alan Bell wrote:
> > > Could linux foundation do the same for the servers? beause they can
> > > be "cracked" in a similar way?
> > >
> >
> > servers generally won't get the secure boot thing. Odd really because
> > it kind of makes more sense to me in that context.
> >
>
> Probably because the biggest market for servers is corporate customers
> who have their own IT department and who would very quickly go see
> another supplier if they had to fiddle with settings in order to install
> the operating system of their choice on their systems. For a typical
> large corporate that regularly installs dozens of servers, any change in
> installation procedure means:
>
>    * Re-train the whole of IT,
>    * Change all training and documentation material,
>    * Update the process of how business units get servers commissioned,
>    * Find a way to phase in the new process while phasing out the old one,
>    * Getting confirmation from suppliers of what exact models will have
>        UEFI so that they can have clear guidance: if model A, then do
>        process 1 else do process 2,
>    * Factor in additional costs and delays for the inevitable cock-ups
>        that will happen.
>
>
> It's an interesting game that Microsoft are playing and I'm wondering
> whether their primary motivation is to lock competition out or to force
> the last refuseniks off XP and onto a more recent version of Windows.
> > From an OEM perspective, what could happen is that you would see UEFI
> > on
> consumer ranges first, where customers tend to just go with what's
> pre-installed, and then slowly see it appear on business ranges, where
> customers tend to wipe the pre-installed OS and replace it with their
> in-house image.
>
> The fact that this logic is completely at odds with the security
> benefits of UEFI secure booting only makes sense if you see it from an
> accounting point of view: secure boot is a technical tool to mitigate
> the risk of a server getting compromised. This is modelled as a risk
> with associated cost (cost of rebuilding a compromised server, checking
> if it's the only compromised one, potential reputation costs, etc). Most
> companies already mitigate that risk using firewalls, intrusion
> detection systems, etc. Mitigation is not perfect so there is a residual
> risk with associated cost. UEFI secure boot is then an opportunity to
> reduce this residual cost through additional mitigation. If the cost
> saving that results from migrating the estate to UEFI secure boot is
> lower than the cost of actually doing it, companies will just stay put
> with what they have, accept the risk and pay the price whenever the risk
> is realised.
>
> So the fact that servers won't get the secure boot option is simply a
> sign that nobody has yet managed to demonstrate that the cost of
> introducing secure boot in a corporate environment was lower than the
> potential cost of the risk it mitigates.
>
> Cheers,
>
> Bruno
>

> On 03/06/2012 23:00, Bruno Girin wrote:
>>  On 03/06/12 19:03, Andres Muniz wrote:
>>>
>>>
>>>  thanks for the info guys! Got more than I need! I was a bit concernd
>>>  that some servers were using arm as well. But clearly it will not be
>>>  a problem.
>>>
>>
>>  Well, until proved otherwise :-)
>>
>>  Bruno
>>
>>
>>
>
> So what is the future of Ubuntu now that Microsoft are doing this.....it
> doesnt look too good......

> On 02/06/12 14:06, Nigel Verity wrote:
>> Hi All
>>
>> If anybody can get a key from Verisign for $99 that makes a
>> mockery of having secure boot in the first place.
> no, that isn't how it works at all. It is possible for some people
> to get a binary signed by Microsoft by paying $99 which goes to
> verisign. You don't get the key and it isn't clear who can do it
> and what binaries will get signed.
>
>> We can take it as read that there are long term plans by
>> Microsoft to tighten up the secure boot spec in the future in
>> their favour.
> yup, on ARM. Devices running Windows 8 on ARM will be pre-bricked
> at the factory.
>>
>> To my mind, this first pass is just to establish the principle
>> and getting all OEMs to adopt the spec. Making keys readily
>> available will help MS to respond to legal challenges from
>> non-tech savvy legislators.
>>
> Possibly. I would imagine they are expecting and preparing for
> antitrust action. As a slightly pedantic point, legislators don't
> tend to make legal challenges.
>> I suspect that the secure boot technology will be hacked pretty
>> quickly enabling we enthusiasts to stay up and running. Having
>> to apply a hack as a fundamental part of Linux installation will
>> not exactly help with promoting wider adoption, though.
>>
> disabling it on Intel isn't a hack, it would be a checkbox option
> in the place you currently call the BIOS. ARM would require a
> hack.
>> Regards