Re: UEFI Secure Boot Specs - And some sanity
Any server manufacturer who chooses to only support MS products is going to find they don't get much business from the academic market. such behaviour is even more stupid today as globally PC market is shrinking. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
On Fri, Jun 15, 2012 at 12:23 AM, C. P. Ghost wrote: > Only if they fully follow the spec. This is rather unlikely. > > Even today, there are still many broken DMI/SMBIOS > tables out there that contain barely enough stuff for > Windows to boot successfully. What makes you think > UEFI BIOS makers will go all the trouble to implement > such a complex spec, if all they have to do is to ensure > compliance with MS requirements? > > I wouldn't count on an option or switch to override this > system. Any server manufacturer who chooses to only support MS products is going to find they don't get much business from the academic market. So I suspect this may crop up on some desktop machines and laptops, but most servers will probably allow installing whatever OS you like. And the market will probably reject even desktop machines with this problem quickly, just like it quickly forced manufacturers to add a way to turn off Intel's CPU ID feature when it became a privacy concern. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
Hi Cordula, Good points you made. The sooner it's blocked the easier to block. *BSD, + *Linux, Solaris etc people could start contacting their local anti monopoly / anti free trade, government departments to give them time to look into the issues. If eg EU commision found it a monopolist conspiracy, & imposed swingeing fines like on Microsoft last time, that could persuade Asian mainboard manufacturers not to monopolise with Microsoft. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
On Sat, Jun 9, 2012 at 12:17 AM, grarpamp wrote: > I did say "effectively". If people would actually read that chapter > in the spec (minimally 27.5) they would find that they can: > - Load a new PK without asking if in default SetupMode > - If not in SetupMode, chainload a new PK provided it is > signed by the current PK. > - Clear the PK in a 'secure platform specific method'. Only if they fully follow the spec. This is rather unlikely. Even today, there are still many broken DMI/SMBIOS tables out there that contain barely enough stuff for Windows to boot successfully. What makes you think UEFI BIOS makers will go all the trouble to implement such a complex spec, if all they have to do is to ensure compliance with MS requirements? I wouldn't count on an option or switch to override this system. Technically, we may very well have to replace the BIOS, or even the BIOS chip itself (that'll be fun if it is physically mounted on the board!), and replace it with a chip flashed with a free BIOS. And by then, the corps who are responsible for this UEFI mess will have made it illegal to 1. tinker with your own hardware, as it would be DRM circumvention and 2. implement a free UEFI BIOS as it would violate some UEFI patents. Basically, we may end up in a situation where running FreeBSD on a modified motherboard could be outright illegal. Which is exactly the point, isn't it? -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
grarpamp writes: > Plenty of millionaires > out there now who are in tune with opensource who could startup, > buy the same ARM/ATOM/etc chips, the same support chips, load > Android and sell it to the masses. Would you please post a list of these millionaire FLOSS entrepreneurs? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
>> Isn't there a lot of needless handwaving going on when the spec is >> pretty clear that installing your own complete PKI tree will all >> boil down to what is effectively a jumper on the motherboard? > Hoping a jumper Might be under an easily unscrewable panel seems unlikely. I did say "effectively". If people would actually read that chapter in the spec (minimally 27.5) they would find that they can: - Load a new PK without asking if in default SetupMode - If not in SetupMode, chainload a new PK provided it is signed by the current PK. - Clear the PK in a 'secure platform specific method'. There's nothing that says PK SetupMode has to be a jumper. Entering the equivalent of good old pre-boot BIOS setup mode would work so long as the OS can't get to it without the request being signed by the current PK. The point of Secure Boot is firmware checked protection against software access... not physical access protection. The spec speaks liberally of 'platform owner' being able to do whatever they want. More handwaving about EULA's and branding aside, that means US. I seriously think that people are blowing this topic way out of context, and seeing it everywhere is getting really old. People should instead be working on the facts and writing the various motherboard manufacturers to ask them what their expected PK update model will be, and to educate them if not. And to work at committing it to their OS. And yes, that includes Compal and Quanta and those sorts of OEM laptop/embedded makers. I'll send $100 to the FreeBSD foundation if those retail board makers I listed don't give the option to install/replace the PK. Nuff said. ps: I don't really care what MS does with their own branded products in the embedded/small space. Plenty of millionaires out there now who are in tune with opensource who could startup, buy the same ARM/ATOM/etc chips, the same support chips, load Android and sell it to the masses. Lot's of overseas ODM's out there for them to pick from too. Phones, tablets, notebooks, laptops... it's all there. FreeBSD on your phone in 10 years. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
grarpamp wrote: > Isn't there a lot of needless handwaving going on when the spec is > pretty clear that installing your own complete PKI tree will all > boil down to what is effectively a jumper on the motherboard? The hope for a jumper is insufficient. Cracking open laptops is no fun. It's not often that they unscrew easily; usually considerable fear of breaking innards or chassis. Hoping a jumper Might be under an easily unscrewable panel seems unlikely. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
> > Isn't there a lot of needless handwaving going on when the spec is > > pretty clear that installing your own complete PKI tree will all > > boil down to what is effectively a jumper on the motherboard? No, considering 99.99% of of current Windows victims can't even install a fresh copy of Windows. > > Users could fully utilize the UEFI Secure Boot hardware by say: > > > > - Using openssl to generate their keys > > - Jumper the board, burn it into the BIOS in UEFI SB SetupMode > > - Have all the MBR, slice, partition, installkernel, etc tools > > install and manage the signed disk/loader/kernel/module bits > > - Have the BIOS check sigs on whatever first comes off the media Yeah that's trivial for 99.99% of users. I have no idea what everyone is on about. I just program my own PROM and make my own motherboards. Now back to reality, most people don't know how to use openssl. They don't want to break the seal on their PC and void the warranty. They don't want to play with jumpers. They don't know how to use Linux fdisk or BSD disklabel. They can't set up their BIOS. They may not be the typical BSD or Linux poweruser but they represent most users. And sadly even a significant percentage of BSD and even a more significant percentage of Linux users (thank you Ubuntu) aren't capable of doing these things. > > And if they really were that dumb, there's Gigabyte, Asus, Msi, > > Supermicro, Biostar, etc who will not be so dumb and will soak up > > all the remaining sales gravy. We're going to see if that happens but it won't. The WinTel Mafia controls more than what you think and these vendors know they get many magnitudes more money from selling Windows commodity shitboxes than they ever will from all the BSD and Linux users multiplied together. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: UEFI Secure Boot Specs - And some sanity
Thank you for this. I didn't realize that a simple (somewhat technical) question asked in all innocence would generate so much flammage. Kurt On Wed, Jun 6, 2012 at 1:13 PM, grarpamp wrote: > Isn't there a lot of needless handwaving going on when the spec is > pretty clear that installing your own complete PKI tree will all > boil down to what is effectively a jumper on the motherboard? > > > First, some sanity... > > Users could fully utilize the UEFI Secure Boot hardware by say: > > - Using openssl to generate their keys > - Jumper the board, burn it into the BIOS in UEFI SB SetupMode > - Have all the MBR, slice, partition, installkernel, etc tools > install and manage the signed disk/loader/kernel/module bits > - Have the BIOS check sigs on whatever first comes off the media > > I don't see that the user will actually NOT be able to do this on > anything but 'designed for windows only' ARM systems. Seeing how > open Android/Linux is firmly in that space, this will just devalue > the non open windows product. > > There have been 25 years of generic mass produced motherboards. > And 25 years of open source OS commits to utilize them. > That is not changing anytime soon. Non generic attempts fail. > > Even corporate kings Dell and HP know they would be foolish to sell > motherboards that will not allow their buyers to swap out the PK > keys... because they know their buyers run more than just windows > and that they need various security models. > > And if they really were that dumb, there's Gigabyte, Asus, Msi, > Supermicro, Biostar, etc who will not be so dumb and will soak up > all the remaining sales gravy. > > The masses have seen and now want openness, open systems, sharing. > The old models are but speed bumps on their own way out the door. > > Though it seems a non issue to me, if you want to protest, protest > for 'Setup Mode'. And not here on this list, but to the hardware > makers. > > We should want to use this PKI in our systems. Not disable it. Not > pay $100 to terminate the PKI chain early. Not pay $100 to lock us > into unmodifiable releases (aka: BSD corporate version). > > I look forward to seeing the UEFI SB PK SetupMode AMD and Intel > generic motherboard list :) > > > On to facts... > > http://www.uefi.org/ > Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc > > https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface > https://en.wikipedia.org/wiki/Unified_EFI_Forum > http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf > https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot > http://mjg59.dreamwidth.org/12368.html > http://mjg59.livejournal.com/ > https://www.tianocore.org/ > http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584 > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
UEFI Secure Boot Specs - And some sanity
Isn't there a lot of needless handwaving going on when the spec is pretty clear that installing your own complete PKI tree will all boil down to what is effectively a jumper on the motherboard? First, some sanity... Users could fully utilize the UEFI Secure Boot hardware by say: - Using openssl to generate their keys - Jumper the board, burn it into the BIOS in UEFI SB SetupMode - Have all the MBR, slice, partition, installkernel, etc tools install and manage the signed disk/loader/kernel/module bits - Have the BIOS check sigs on whatever first comes off the media I don't see that the user will actually NOT be able to do this on anything but 'designed for windows only' ARM systems. Seeing how open Android/Linux is firmly in that space, this will just devalue the non open windows product. There have been 25 years of generic mass produced motherboards. And 25 years of open source OS commits to utilize them. That is not changing anytime soon. Non generic attempts fail. Even corporate kings Dell and HP know they would be foolish to sell motherboards that will not allow their buyers to swap out the PK keys... because they know their buyers run more than just windows and that they need various security models. And if they really were that dumb, there's Gigabyte, Asus, Msi, Supermicro, Biostar, etc who will not be so dumb and will soak up all the remaining sales gravy. The masses have seen and now want openness, open systems, sharing. The old models are but speed bumps on their own way out the door. Though it seems a non issue to me, if you want to protest, protest for 'Setup Mode'. And not here on this list, but to the hardware makers. We should want to use this PKI in our systems. Not disable it. Not pay $100 to terminate the PKI chain early. Not pay $100 to lock us into unmodifiable releases (aka: BSD corporate version). I look forward to seeing the UEFI SB PK SetupMode AMD and Intel generic motherboard list :) On to facts... http://www.uefi.org/ Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface https://en.wikipedia.org/wiki/Unified_EFI_Forum http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot http://mjg59.dreamwidth.org/12368.html http://mjg59.livejournal.com/ https://www.tianocore.org/ http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"