On 22/06/21 12:54 am, Steve McIntyre wrote:
[ Apologies, missed this last week... ]
to...@tuxteam.de wrote:
On Mon, Jun 14, 2021 at 09:20:52AM +0300, Andrei POPESCU wrote:
On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote:
>
> Secure Boot (Microsoft's attempt to stop you from using Linux) relies on
> UEFI booting, and therefore this was one of the driving forces behind it,
> but not the *only* driving force. If your machine doesn't use Secure Boot,
> don't worry about it. It won't affect you.
While I'm not a fan of Microsoft:
https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F
Quoting from there:
"Microsoft act as a Certification Authority (CA) for SB, and they will
sign programs on behalf of other trusted organisations so that their
programs will also run."
Now two questions:
- do you know any other alternative CA besides Microsoft who is
capable of effectively doing this? In a way that it'd "work"
with most PC vendors?
I've been in a number of discussions about this over the last few
years, particularly when talking about adding arm64 Secure Boot and
*maybe* finding somebody else to act as CA for that. There's a few
important (but probably not well-understood) aspect ofs the CA role
here:
* the entity providing the CA needs to be stable (changing things is
expensive and hard)
* they need to be trustworthy - having an existing long-term business
relationship with the OEMs is a major feature here
* they need to be *large* - if there is a major mistake that might
cause a problem on a lot of machines in production, the potential
cost liability (and lawsuits) from OEMs is *huge*
There are not many companies who would fit here. Intel and AMD are
both very interested in enhancing trust and security at this kind of
level, but have competing products and ideas, for example.
Is that something that needs to be done by one company? Perhaps because
of how SecureBoot is implemented?
I'd prefer to be able to add Debian's key either in addition to or
instead of Microsoft's, which could also be happily installed alongside
those of Intel, AMD, your favourite government security agency or
whoever. And Debian can get theirs signed by whichever of those they
might think is appropriate. But I want to be able to reduce that list to
just Debian's, or just the EFF's, or mine. Whatever combination I choose.
I think that should all work ok? Changing things, rather than being
expensive and hard, should just be a matter of either getting a new
organisation to sign Debian's key, and/or having them revoke one. As one
of those on the list.
As an aside, I'd like to see this with web certificates too - I want to
be able to get my cert signed by LetsEncrypt _and_ whatever commercial
CA or CAs I choose, so if one of them does something stupid and needs to
be removed from the list of approved CAs, it doesn't break the internet,
because any significant site will have its certs signed by others as well.
Richard