Re: [Mageia-dev] [council] *ping* Media query: secure boot support
On Tue, Jan 29, 2013 at 08:19:19PM +0200, Thomas Backlund wrote: Olav Vitters skrev 29.1.2013 14:40: In which case I'd just turn secure boot off? Same for all the other examples. Maybe it at one point it has to be disabled, but at the moment that is not the case and it provides something useful. and if the hw vendor has not implemented a way to turn it off... Then I couldn't even install Mageia? I doubt Secure Boot would be impossible to turn off, as then you cannot have a designed for Windows 8 sticker on it plus nobody could install an older Windows version. My only worry if it would turn off UEFI at the same time or not. -- Regards, Olav
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
On Sun, Jan 27, 2013 at 01:43:25PM +0100, Marja van Waes wrote: From: Sam Vargheses...@gnubies.com [..] I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. I'm wondering as well. I've been thinking to upgrade my system somewhere this year. This means secure boot, UEFI, etc. It would be nice if Mageia supports that nicely. e.g. I see a whole thread about Grub 1.x. But I think it is more important if you can still install Mageia on a new computer. -- Regards, Olav
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Olav Vitters skrev 29.1.2013 10:43: On Sun, Jan 27, 2013 at 01:43:25PM +0100, Marja van Waes wrote: From: Sam Vargheses...@gnubies.com [..] I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. I'm wondering as well. I've been thinking to upgrade my system somewhere this year. This means secure boot, UEFI, etc. It would be nice if Mageia supports that nicely. Supporting (U)EFI does not require SecureBoot support... we wont support SecureBoot for Mga3, and there is no rush considering a lot of changes is still happening on several fronts... I will try to see if I can fix the UEFI part for ~beta3, but no promises yet And for people thinking of Windows 8 dual boot... Win8 does not _require_ SecureBoot either... (only the overprized RT does) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... -- Thomas
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 29.01.2013 11:11, Thomas Backlund kirjutas: And for people thinking of Windows 8 dual boot... Win8 does not _require_ SecureBoot either... (only the overprized RT does) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... Well, the problem with SecureBoot is in the systems that are sold with W8 sticker on them. AFAIK, if manufacturer wants to have windows hardware sertification it has to enable secure boot by default. And I'm not sure how many systems allow to disable it or how easy it will be for normal user. - -- Sander -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRB5XNAAoJECMkkFJIyHr8D64H/AqdTMOOdd/xbjgHUESDLsDo GAmg86vQL/7c845uE7LYzteDxCbaBJDaI+Xpirn0RARdKL7jvRcrhAYJSB6V3EI5 i0gfkFlz4u5j0YD+NAyTz9RBxijp2St4Tvaw1nND3BQmKGcV+kUmNwCZj/Fg9w5Z RSfJzV+0qHk5Bw/tWyzH703vaUbqbBSgdu/pl86Bg9kf0yhCe8dnINFkIfv0Nx19 JmaJ7dpdplYdgEFRhNaMzpIa5g6Xy+w95S1xGAnrH5A6P30DKUT7C0BUbS1wl/i7 veiqBXFtRFQCErga7cFHaK1b/9ZWmtHZE3edp8LRBUsDacNOhsd3j7kVPxC8qdw= =FaR/ -END PGP SIGNATURE-
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
'Twas brillig, and Thomas Backlund at 29/01/13 09:11 did gyre and gimble: Olav Vitters skrev 29.1.2013 10:43: On Sun, Jan 27, 2013 at 01:43:25PM +0100, Marja van Waes wrote: From: Sam Vargheses...@gnubies.com [..] I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. I'm wondering as well. I've been thinking to upgrade my system somewhere this year. This means secure boot, UEFI, etc. It would be nice if Mageia supports that nicely. Supporting (U)EFI does not require SecureBoot support... we wont support SecureBoot for Mga3, and there is no rush considering a lot of changes is still happening on several fronts... I will try to see if I can fix the UEFI part for ~beta3, but no promises yet And for people thinking of Windows 8 dual boot... Win8 does not _require_ SecureBoot either... (only the overprized RT does) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... On a semi-related note, it would be nice to package gummiboot although I have no h/w to test it on. For mga4 it might make sense to integrate it (assuming it's still a good solution) properly into our tools. Personally, I'm going to avoid grub2. It seems insane to me to implement all kinds of exotic filesystem supoort and even md stuff in a bootloader... Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
2013/1/29 Sander Lepik sander.le...@eesti.ee: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 29.01.2013 11:11, Thomas Backlund kirjutas: And for people thinking of Windows 8 dual boot... Win8 does not _require_ SecureBoot either... (only the overprized RT does) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... Well, the problem with SecureBoot is in the systems that are sold with W8 sticker on them. AFAIK, if manufacturer wants to have windows hardware sertification it has to enable secure boot by default. And I'm not sure how many systems allow to disable it or how easy it will be for normal user. As for now Microsoft requires all W8 certified systems with secure boot to allow secure boot to be switched off by user/sysadmin. One reason why I do not understand the reason why all these people (Garret et all) are stumbling all over themselves to solve a problem which is not even sure to ever come by. IMHO Mageia is good to send out the signal that Mageia will face that issue when it's due time. -- wobo
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Le 29/01/2013 10:37, Wolfgang Bornath a écrit : As for now Microsoft requires all W8 certified systems with secure boot to allow secure boot to be switched off by user/sysadmin. One reason why I do not understand the reason why all these people (Garret et all) are stumbling all over themselves to solve a problem which is not even sure to ever come by. I guess that's because secure boot may be considered useful, if you're in control of it, of course. And because something working out of the box is probably better when targetting non-experts. -- BOFH excuse #37: heavy gravity fluctuation, move computer to floor rapidly
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
On Tue, Jan 29, 2013 at 10:02 AM, Guillaume Rousse guillomovi...@gmail.com wrote: Le 29/01/2013 10:37, Wolfgang Bornath a écrit : As for now Microsoft requires all W8 certified systems with secure boot to allow secure boot to be switched off by user/sysadmin. One reason why I do not understand the reason why all these people (Garret et all) are stumbling all over themselves to solve a problem which is not even sure to ever come by. I guess that's because secure boot may be considered useful, if you're in control of it, of course. And because something working out of the box is probably better when targetting non-experts. Yes I think the main problem is that for probably 10 years it had became easy for someone non technical to test/install linux, now they would need to change setup in the bios and would probably give up (or be scared).
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
On Tue, Jan 29, 2013 at 10:02 AM, Guillaume Rousse guillomovi...@gmail.com wrote: Le 29/01/2013 10:37, Wolfgang Bornath a écrit : As for now Microsoft requires all W8 certified systems with secure boot to allow secure boot to be switched off by user/sysadmin. One reason why I do not understand the reason why all these people (Garret et all) are stumbling all over themselves to solve a problem which is not even sure to ever come by. I guess that's because secure boot may be considered useful, if you're in control of it, of course. And because something working out of the box is probably better when targetting non-experts. Yes I think the main problem is that for probably 10 years it had became easy for someone non technical to test/install linux, now they would need to change setup in the bios and would probably give up (or be scared). no 100% sure, but some time ago, i remember someone looking into this with motherboard/PC manufacturers and it seemed like most manufacturers weren't even planning on having secure boot / let alone enable it by default. I suspect that most PC manufacturers are putting the win8 sticker on it regardless of it using secure boot. and i think that most win8 preinstalled PCs won't even be able to use secure boot. in other words... is this REALLY gonna be an issue? (except for ARM platforms)? i'm not 100% sure on this, but i'm not really that worried atm...
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
On Tue, Jan 29, 2013 at 11:11:55AM +0200, Thomas Backlund wrote: Olav Vitters skrev 29.1.2013 10:43: On Sun, Jan 27, 2013 at 01:43:25PM +0100, Marja van Waes wrote: From: Sam Vargheses...@gnubies.com [..] I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. I'm wondering as well. I've been thinking to upgrade my system somewhere this year. This means secure boot, UEFI, etc. It would be nice if Mageia supports that nicely. Supporting (U)EFI does not require SecureBoot support... Technically no, but I am not sure how what options there will be on the motherboard. I've been trying to read up on it, but though you should be able to only disable SecureBoot, it seems it sometimes also disables more. My current motherboard is from Gigabyte. Probably will buy from this company again as I don't have any issues with it. PSU wise it is another story though :P (but don't think I need to replace the PSU) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... I quite like SecureBoot. This way you can avoid attacks on the boot sector. -- Regards, Olav
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Olav Vitters skrev 29.1.2013 13:12: On Tue, Jan 29, 2013 at 11:11:55AM +0200, Thomas Backlund wrote: And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... I quite like SecureBoot. This way you can avoid attacks on the boot sector. Yeah, and when MS screws up with one of the master keys (or some hw wendor) think about the dual-booters Microsft pushes revocation key through windowsupdate, and you suddenly find out your linux wont boot anymore, beacuse the signature that is supposed to validate your boot has been revoked... Or a local dos: just add a single byte to the end of some of the signed files/images and the signature checks fail, ending up with non-bootable system you dont even need to exploit it further Or MS alters license rules around key signing, so when your key expires, guess what... and ms wont be in a hurry to fix it look at the time it has taken so far for linux foundation to try and get proper signatre key or... There is so many fun ways to screw up this security illusion, that it should be buried forgotten already... this secure boot pushed by ms is also in reality a ms-restricted boot... -- Thomas
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Colin Guthrie skrev 29.1.2013 11:30: 'Twas brillig, and Thomas Backlund at 29/01/13 09:11 did gyre and gimble: Olav Vitters skrev 29.1.2013 10:43: On Sun, Jan 27, 2013 at 01:43:25PM +0100, Marja van Waes wrote: From: Sam Vargheses...@gnubies.com [..] I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. I'm wondering as well. I've been thinking to upgrade my system somewhere this year. This means secure boot, UEFI, etc. It would be nice if Mageia supports that nicely. Supporting (U)EFI does not require SecureBoot support... we wont support SecureBoot for Mga3, and there is no rush considering a lot of changes is still happening on several fronts... I will try to see if I can fix the UEFI part for ~beta3, but no promises yet And for people thinking of Windows 8 dual boot... Win8 does not _require_ SecureBoot either... (only the overprized RT does) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... On a semi-related note, it would be nice to package gummiboot although I have no h/w to test it on. Yep, that is one of the things I'm looking at... For mga4 it might make sense to integrate it (assuming it's still a good solution) properly into our tools. Personally, I'm going to avoid grub2. It seems insane to me to implement all kinds of exotic filesystem supoort and even md stuff in a bootloader... Well, I think for next 3.8 kernel build I think I will make ahci, ext4 and btrfs builtin so you can boot without initrd on new hw, and if you install the kernel in correct place on the efi partition, you can boot the kernel directly without bootloader... :) -- Thomas
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
'Twas brillig, and Thomas Backlund at 29/01/13 11:50 did gyre and gimble: Colin Guthrie skrev 29.1.2013 11:30: 'Twas brillig, and Thomas Backlund at 29/01/13 09:11 did gyre and gimble: Olav Vitters skrev 29.1.2013 10:43: On Sun, Jan 27, 2013 at 01:43:25PM +0100, Marja van Waes wrote: From: Sam Vargheses...@gnubies.com [..] I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. I'm wondering as well. I've been thinking to upgrade my system somewhere this year. This means secure boot, UEFI, etc. It would be nice if Mageia supports that nicely. Supporting (U)EFI does not require SecureBoot support... we wont support SecureBoot for Mga3, and there is no rush considering a lot of changes is still happening on several fronts... I will try to see if I can fix the UEFI part for ~beta3, but no promises yet And for people thinking of Windows 8 dual boot... Win8 does not _require_ SecureBoot either... (only the overprized RT does) And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... On a semi-related note, it would be nice to package gummiboot although I have no h/w to test it on. Yep, that is one of the things I'm looking at... Cool :) For mga4 it might make sense to integrate it (assuming it's still a good solution) properly into our tools. Personally, I'm going to avoid grub2. It seems insane to me to implement all kinds of exotic filesystem supoort and even md stuff in a bootloader... Well, I think for next 3.8 kernel build I think I will make ahci, ext4 and btrfs builtin so you can boot without initrd on new hw, and if you install the kernel in correct place on the efi partition, you can boot the kernel directly without bootloader... :) Yup, with newer systemds (not yet in mga - think it's probably best to wait for mga4, but I could backport those bits if there is sufficient interest), if you have an EFI partition and you have an empty /boot folder with no other /boot mounts defined, it'll automatically mount the efi partition there. This is where I think our tools would need updating to realise this was the case and use the correct vendor subdir for kernel (and optional initrd) installation. Will likely take a bit of fiddling to get right, hence why I think this is really an mga4 thing for the most part. Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
On Tue, Jan 29, 2013 at 01:38:56PM +0200, Thomas Backlund wrote: Olav Vitters skrev 29.1.2013 13:12: On Tue, Jan 29, 2013 at 11:11:55AM +0200, Thomas Backlund wrote: And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... I quite like SecureBoot. This way you can avoid attacks on the boot sector. Yeah, and when MS screws up with one of the master keys (or some hw wendor) think about the dual-booters Microsft pushes revocation key through windowsupdate, and you suddenly find out your linux wont boot anymore, beacuse the signature that is supposed to validate your boot has been revoked... In which case I'd just turn secure boot off? Same for all the other examples. Maybe it at one point it has to be disabled, but at the moment that is not the case and it provides something useful. -- Regards, Olav
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Olav Vitters skrev 29.1.2013 14:40: On Tue, Jan 29, 2013 at 01:38:56PM +0200, Thomas Backlund wrote: Olav Vitters skrev 29.1.2013 13:12: On Tue, Jan 29, 2013 at 11:11:55AM +0200, Thomas Backlund wrote: And personally, I dont think we should ever bother with the SecureBoot crap as its flawed in so many ways... I quite like SecureBoot. This way you can avoid attacks on the boot sector. Yeah, and when MS screws up with one of the master keys (or some hw wendor) think about the dual-booters Microsft pushes revocation key through windowsupdate, and you suddenly find out your linux wont boot anymore, beacuse the signature that is supposed to validate your boot has been revoked... In which case I'd just turn secure boot off? Same for all the other examples. Maybe it at one point it has to be disabled, but at the moment that is not the case and it provides something useful. and if the hw vendor has not implemented a way to turn it off... -- Thomas
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Le 29/01/2013 19:19, Thomas Backlund a écrit : and if the hw vendor has not implemented a way to turn it off... I experienced a Gateway system with a BIOS on which Windows 7 Pro refuses to activate. Then what? Customers were angry, they released a BIOS update that allows activation of any version. I think market goes the easy way. If people want to install Open Source, market will follow.
Re: [Mageia-dev] [council] *ping* Media query: secure boot support
Maybe our developers can answer your question? On 27/01/13 13:31, Trish Fraser wrote: Ping? Begin forwarded message: Date: Sat, 26 Jan 2013 18:48:37 +1100 From: Trish Frasertr...@thefrasers.org To: councilcoun...@ml.mageia.org Subject: [council] Fw: Media query: secure boot support Hi all, Do we have a position on secure boot? NB: Sam has been known to write very scathing articles, so I'd like to respond to him asap. Cheers, Begin forwarded message: Date: Sat, 26 Jan 2013 17:24:26 +1100 From: Sam Vargheses...@gnubies.com To: pr...@mageia.org Subject: Media query: secure boot support G'day I am writing to you on behalf of iTWire, an Australian technology news website. I would like to know what Mageia plans to do about secure boot - when you will have a release that supports booting on hardware on which this feature is enabled. A word in response would be appreciated. Thanks, Sam - (Sam Varghese) FOSS editor iTWire http://www.itwire.com Phone: 0404 489 353 International: +61 404 489 353 My personal blog: http://wildcard.gnubies.com H