Re: Improving structure and governance

Tue, 29 Apr 2014 11:51:24 -0700 

> The involvement of Microsoft, makes this initiative highly suspect, and
> I wish the Linux Foundation had told them to get lost.  Ever since its
> foundation, Microsoft has used every underhanded trick in the book to
> sabotage open source projects (just remember Bill Gates open letter
> on the subject decades ago).
Recall that OpenSSL is used to implement the "Secure Boot" feature in UEFI firmware. Any modern system that has a Windows8 logo on it has OpenSSL in their firmware, unless firmware vendor or OEM replaced OpenSSL with another crypto lib. So MSFT does have a dependence of OpenSSL working, else Windows can no longer Securely Boot. :-)
And Microsoft and Linux Foundation work together with getting the Linux EFI Shim signed so Linux can boot on these WindowsPCs. :-( Granted, commercial SUSE/RHAT/Ubuntu servers can get Secure Boot to work w/o MSFT certs, but those are expensive enterprise boxes, no consumer devices like this. :-( 

The TianoCore.org project maintains a patch of OpenSSL (0.9x, not 1.x).
https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
BTW, it's a shame that OpenSSL doesn't integrate that patch, and have some UEFI-targetting compiler directive to integrate it.
There's also an old bug/feature in OpenSSL, related to UEFI use of intermediate CAs, which UEFI is waiting for OpenSSL to deal with. It is a shame that this has been unresolved for years. 

http://sourceforge.net/p/edk2/mailman/message/29329799/
http://marc.info/?l=openssl-users&m=128943213002702
OpenSSL's use in nearly all modern systems' firmware seems like a mainstream enough usage that they should take the EFI patch, and maybe help with the intermediate CA feature/bug.
I hope new structure/governance in post-Heartbleed era will also take into account OpenSSL's widespread use in modern firmware, not just OS and app usage. 

Thanks,
Lee
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to