Re: [SCIENTIFIC-LINUX-USERS] Installing on a new laptop
On Sat, Mar 2, 2013 at 11:09 PM, jdow j...@earthlink.net wrote: On 2013/03/02 15:18, Tom H wrote: On Fri, Mar 1, 2013 at 11:15 PM, jdow j...@earthlink.net wrote: On 2013/03/01 09:26, Tom H wrote: On Thu, Feb 28, 2013 at 7:08 PM, jdow j...@earthlink.net wrote: On 2013/02/28 11:56, Tom H wrote: On Thu, Feb 28, 2013 at 2:38 PM, Robert Blair r...@anl.gov wrote: On 02/28/2013 01:35 PM, Tom H wrote: I wouldn't be surprised if SB became un-disable-able in the next few years. We'd then have to use an MS-signed shim to boot, as is now the case with the default Fedora and Ubuntu SB setups. Maybe I've missed something here. If a generic MS signed shim is available what value does this add? Wouldn't such a shim make booting anything alternative possible? I'm sorry. It's not as generic as I made it look. AIUI, the shim is a basic stage 1 (or maybe stage 0.5) bootloader whose signature's validated against an MS key in the computer's ROM. Grub and the kernel (and its modules in Fedora's case but not in Ubuntu's) are then validated against a Fedora key in the shim. Which is the end of compiling your own code. You mean compiling your own kernel without spending a one-time fee of USD 99. A difference which makes no practical difference is no difference at all. Of course there's a difference. It's grub and the kernel and its modules that you can't compile without signing. You missed the point, Tom. To a retired person a $100 bill is a serious amount of eating that has to be traded off with it. If that cannot be afforded without sacrifice then it might as well not exist as an option. That is the difference that makes no practical difference. The Microsoft extension to the issue is essentially the locked cellphone situation under which I could not code up any new assistive technology for myself and use it. It becomes me paying to have Microsoft own my device. And I'd have to pay them to use my own work on a machine I have every right to regard as my own machine. If Linux is going to systematically support that kind of a model in any way, I'm outahere. You're outahere to where?! As long as you can turn off SB, you're OK using whatever you want to use. If we get to a point where we can't turn off SB on x86, you'll have to use a non-x86, non-ARM processor. I didn't consider the USD 99 because I didn't think it relevant. Compiling your own SB-compatible kernel's a luxury. Your computer isn't non-functional without doing so. Anyway, I found out today that my SB knowledge's out of date. The shim now supports MOKs (Machine Owner Keys) and is distributed with a MokManager program. So you can generate keys with openssl, sign your EFI binaries with them, and enroll your MOK certificate with MokManager.
Re: [SCIENTIFIC-LINUX-USERS] Installing on a new laptop
On 03/02/2013 08:09 PM, jdow wrote: On 2013/03/02 15:18, Tom H wrote: On Fri, Mar 1, 2013 at 11:15 PM, jdow j...@earthlink.net wrote: On 2013/03/01 09:26, Tom H wrote: On Thu, Feb 28, 2013 at 7:08 PM, jdow j...@earthlink.net wrote: On 2013/02/28 11:56, Tom H wrote: On Thu, Feb 28, 2013 at 2:38 PM, Robert Blair r...@anl.gov wrote: On 02/28/2013 01:35 PM, Tom H wrote: I wouldn't be surprised if SB became un-disable-able in the next few years. We'd then have to use an MS-signed shim to boot, as is now the case with the default Fedora and Ubuntu SB setups. Maybe I've missed something here. If a generic MS signed shim is available what value does this add? Wouldn't such a shim make booting anything alternative possible? I'm sorry. It's not as generic as I made it look. AIUI, the shim is a basic stage 1 (or maybe stage 0.5) bootloader whose signature's validated against an MS key in the computer's ROM. Grub and the kernel (and its modules in Fedora's case but not in Ubuntu's) are then validated against a Fedora key in the shim. Which is the end of compiling your own code. You mean compiling your own kernel without spending a one-time fee of USD 99. A difference which makes no practical difference is no difference at all. Of course there's a difference. It's grub and the kernel and its modules that you can't compile without signing. You missed the point, Tom. To a retired person a $100 bill is a serious amount of eating that has to be traded off with it. If that cannot be afforded without sacrifice then it might as well not exist as an option. That is the difference that makes no practical difference. The Microsoft extension to the issue is essentially the locked cellphone situation under which I could not code up any new assistive technology for myself and use it. It becomes me paying to have Microsoft own my device. And I'd have to pay them to use my own work on a machine I have every right to regard as my own machine. If Linux is going to systematically support that kind of a model in any way, I'm outahere. {^_^} Linux or any open systems approach is not the issue. Microsoft is a monopoly and has been able to impose this upon the hardware vendors or it will not allow the vendors to offer MS Win 8. Unfortunately, the market will not be able to affect any change within any reasonable time interval unless Microsoft removes this restrictive covenant -- which is not likely as Microsoft has imposed this approach for maintaining the monopoly. The only choice, libertarianism aside, is for governments to intervene, just as MS Win had to be offered to consumers with a different footprint in the EU compared to the USA (both had found Microsoft to be a monopoly, but the USA put no effective remedy into place). Note that the imposed change has little if any effect upon security -- but might prevent unlicensed (pirated) copies of MS Win 8 from booting. I presume that the PRC internally will break this imposition -- but I doubt that such PRC machines will either be common or desireable (except within the PRC where solution will be imposed).
Re: Installing on a new laptop
On 03/02/2013 03:34 AM, Konstantin Olchanski wrote: ...GNU Hurd (vaporware). Not vaporware. But the two consumer-end distros based on it are still in Alpha. Of course one of them (Arch) is perpetually in Alpha and the other (Debian) is perpetually frozen in its release schedule, so I don't know that this is really any different than their Linux variants... http://www.archhurd.org/ http://www.debian.org/ports/hurd/ Arch Hurd has a liveCD out for x86, I don't think Debian is that far along yet. This won't change the world, in any case, because it doesn't affect how the masses access their email, media or games.
Re: Installing on a new laptop
On 02/27/2013 04:20 AM, Paul Robert Marino wrote: I have an X120e as well and simply changing the hard drive doesn't fix the eufi issue. the first answer to this string is correct with two cavorts RedHat got two signed certs one fro RHEL and the other for Fedora. apparently the process was a nightmare but they will work with secure boot. for that reason I run fedora as my primary os on my laptop and if i have to do any Scientific Linux testing I run it in a VM (and yes an AMD fusion chip can runs a single VM surprisingly well).. We supply our customers with Linux and dual-boot systems, and recently have run headlong into the UEFI madness. Any new consumer-grade x86 system will have an escape key on boot that gets you into setup the same way old BIOS-based boards did (this can be tricky with keyboardless tablets -- sometimes a USB keyboard can work, sometimes its just plain random like pressing a volume button or something). The weird part with UEFI is that the key is hidden, non-standard between makers -- even different between board models, never announced on the boot screen, has an amazingly short activation window (usually 1 second), and (so far in our experience) never mentioned in any vendor documentation other than (occasionally) Toshiba laptop manuals. We've resorted to playing F-key piano within when testing new models. Silly, but it often works. Within the UEFI setup there will be an option for enabling UEFI or CRM and changing the boot source order. CRM indicates a BIOS-style boot and works with anything BIOS booting did. UEFI is, of course, UEFI, and requires a key. There is supposedly a way to insert your own key into the UEFI registry so that you can sign your own bootloaders, but I've seen zero evidence of this myself. Its almost like someone is trying to kill off the smaller OS and hardware vendors and make corporate IT into an Old Boys' club again -- but such a sweeping conspiracy would have raised an outcry somewhere...? There is a silver lining. The board makers themselves are out to sell boards and laptops and tablets and can be reasoned with. My company is an extremely small player in the hardware field but we've had positive response from vendors when inquiring about having our own keys included on boards alongside Microsoft's when doing bulk orders. We haven't had to go that route yet so I'm unsure how much of a pain that would actually be to manage (doesn't appear much more difficult than managing repository keys though, for example), but this leaves the door open for even tiny computing companies and larger IT departments to arrange for their own secure boot keys to be pre-installed by the board manufacturers and not violate Microsoft's requirements, even on ARM. That said, since we don't do showroom marketing anyway neither we nor our suppliers have a need to put little Windows8 Ready stickers on anything they ship to us anyway. From a security perspective it is important to note that physical access to a system still equates to compromise and UEFI can't do anything to prevent that. It is also interesting to note that as we've thought through security compromise based on the boot cycle, leaving the Windows key alongside our key leaves a door open for someone to write malware that is based on a valid version of Windows that runs the real system in a VM anyway, and there isn't a clean way out of that. Blah blah blah. My point is that there is a possibility for OS suppliers/providers to provide their own UEFI keys because board makers are willing to play ball (so far). This does require, however, that at the smaller level OS and hardware vendors have to merge or coordinate somewhat in practice -- but as we've found over the last few years, when you do the software you start wanting to do the hardware, too, so it works out. The downside is that unless you're already established or have the investment backing required to maintain an entire OS yourself it will be pretty much impossible to start a non-Windows computing company from here on out If we sensed much demand for consumer-end (as in, personal, not business) systems running $distro then we'd probably jump on the chance to run our own UEFI-based program -- but we're troubled by the idea that doing so would lock buyers of our hardware into $distro (or at least our bootloader, depending on how things were set up) the same way MS has done, and that isn't really something we see as a competitive advantage in a market niche loaded with hordes of people who want to/need to try out different things on their own. Tricky. -z
Re: Installing on a new laptop
On Tue, Feb 26, 2013 at 11:46:11AM -0600, Connie Sieh wrote: If a i386/x86_64 laptop is certified for the Windows 8 logo then it has to have secure boot enabled in the bios(uefi) by default as required by Microsoft. Secure boot requires a 'signed by microsoft' program to boot. But the bios(uefi) is REQUIRED to have a method to turn off the secure boot option and thus not require a microsoft signed os. Is all this still theoretical? I have not seen any recent laptops, but on recent desktop mobos (from ASUS), indeed, in the BIOS setup, I see the button to enable secure boot. This button is off by default, Linux boots just fine. So is there an issue bigger than having to go into the BIOS setup to turn off secure boot? In other news, when people ask me which Linux laptop to buy?, I tell them to buy a Mac. For all practical purposes MacOS acts as a funny Linux, the main difference being that all the hardware and software actually does works as advertised. (That does cost you a few extra $$$, of course). -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Installing on a new laptop
Until I can afford it, It's theoretical. Hoping to hear in a week if I got a major real job, then it'll not only move from theoretical--it'll move to NECESSARY. On Wed, Feb 27, 2013 at 6:14 PM, Konstantin Olchanski olcha...@triumf.ca wrote: On Tue, Feb 26, 2013 at 11:46:11AM -0600, Connie Sieh wrote: If a i386/x86_64 laptop is certified for the Windows 8 logo then it has to have secure boot enabled in the bios(uefi) by default as required by Microsoft. Secure boot requires a 'signed by microsoft' program to boot. But the bios(uefi) is REQUIRED to have a method to turn off the secure boot option and thus not require a microsoft signed os. Is all this still theoretical? I have not seen any recent laptops, but on recent desktop mobos (from ASUS), indeed, in the BIOS setup, I see the button to enable secure boot. This button is off by default, Linux boots just fine. So is there an issue bigger than having to go into the BIOS setup to turn off secure boot? In other news, when people ask me which Linux laptop to buy?, I tell them to buy a Mac. For all practical purposes MacOS acts as a funny Linux, the main difference being that all the hardware and software actually does works as advertised. (That does cost you a few extra $$$, of course). -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: Installing on a new laptop
I have an X120e as well and simply changing the hard drive doesn't fix the eufi issue. the first answer to this string is correct with two cavorts RedHat got two signed certs one fro RHEL and the other for Fedora. apparently the process was a nightmare but they will work with secure boot. for that reason I run fedora as my primary os on my laptop and if i have to do any Scientific Linux testing I run it in a VM (and yes an AMD fusion chip can runs a single VM surprisingly well).. On Tue, Feb 26, 2013 at 2:04 PM, Ken Teh t...@anl.gov wrote: I never boot a new laptop into Windows. I replace the original hard drive with a new one and install Linux on it. This way I can put the original disk back in and never void my warranty. You can then even sell it in its original state. Of course, this works only if you don't plan to use Windows. I use a $500 Lenovo X120e netbook. On 02/26/2013 11:26 AM, Scott_Gates wrote: OK, If I needed a desktop, I'd just roll my own. Probably starting with something bare-bones from TigerDirect. I'm thinking of buying a new laptop, rather than just recycling old ones, like I have been. I have HEARD there are issues with trying to install on computers with Windows8 already installed--the only source I have of CHEAP laptops. Basically a Wal-mart or Best-buy boxes that I can get in the $250-$400 ra nge. Does anybody have experience with this? Yeah, I know I'll be Voiding the Warranty--but, I need a laptop for real work--not socializing or net flicking. You know what I mean.
Re: Installing on a new laptop
On Tue, 26 Feb 2013, Yasha Karant wrote: My understanding is that if the machine is licensed for MS Windows, then the release and version for which it is so licensed can legally be run under VirtualBox (or the equivalent): Linux as the host OS, VirtualBox, and then a fresh install from media of the licensed MS Windows. I do however, in most cases, remove the original works formatted MS Windows hard drive for the same purpose mentioned below. Will VirtualBox run MS Win 8 assuming the eufi issue can be solved for the host OS? The choices are either turn secure boot off or run a os/bootloader that has a signature that uefi knows about(Microsoft). This assumes a uefi only i386/x86_64 motherboard. The uefi is more complicated but at least there is a way to turn off secure boot. Note that the Linux Foundation is sponsoring a effort to create a signed boot loader. I do not think that TUV is planning on using this . No speak vmware. -Connie Sieh At present, I am running SL 6x with VirtualBox running MS Win 7 -- and dread having to do to MS Win 8 and all of the eufi nonsense -- particularly if I get a new laptop. Yasha Karant On 02/26/2013 11:04 AM, Ken Teh wrote: I never boot a new laptop into Windows. I replace the original hard drive with a new one and install Linux on it. This way I can put the original disk back in and never void my warranty. You can then even sell it in its original state. Of course, this works only if you don't plan to use Windows. I use a $500 Lenovo X120e netbook. On 02/26/2013 11:26 AM, Scott_Gates wrote: OK, If I needed a desktop, I'd just roll my own. Probably starting with something bare-bones from TigerDirect. I'm thinking of buying a new laptop, rather than just recycling old ones, like I have been. I have HEARD there are issues with trying to install on computers with Windows8 already installed--the only source I have of CHEAP laptops. Basically a Wal-mart or Best-buy boxes that I can get in the $250-$400 ra nge. Does anybody have experience with this? Yeah, I know I'll be Voiding the Warranty--but, I need a laptop for real work--not socializing or net flicking. You know what I mean.