Re: [SCIENTIFIC-LINUX-USERS] Installing on a new laptop

[Tom H]

On Sat, Mar 2, 2013 at 11:09 PM, jdow j...@earthlink.net wrote:
 On 2013/03/02 15:18, Tom H wrote:
 On Fri, Mar 1, 2013 at 11:15 PM, jdow j...@earthlink.net wrote:
 On 2013/03/01 09:26, Tom H wrote:
 On Thu, Feb 28, 2013 at 7:08 PM, jdow j...@earthlink.net wrote:
 On 2013/02/28 11:56, Tom H wrote:
 On Thu, Feb 28, 2013 at 2:38 PM, Robert Blair r...@anl.gov wrote:
 On 02/28/2013 01:35 PM, Tom H wrote:

 I wouldn't be surprised if SB became un-disable-able in the next
 few years. We'd then have to use an MS-signed shim to boot, as is
 now the case with the default Fedora and Ubuntu SB setups.

 Maybe I've missed something here. If a generic MS signed shim is
 available what value does this add? Wouldn't such a shim make booting
 anything alternative possible?

 I'm sorry. It's not as generic as I made it look. AIUI, the shim is a
 basic stage 1 (or maybe stage 0.5) bootloader whose signature's
 validated against an MS key in the computer's ROM. Grub and the kernel
 (and its modules in Fedora's case but not in Ubuntu's) are then
 validated against a Fedora key in the shim.

 Which is the end of compiling your own code.

 You mean compiling your own kernel without spending a one-time fee of
 USD
 99.

 A difference which makes no practical difference is no difference at all.

 Of course there's a difference. It's grub and the kernel and its
 modules that you can't compile without signing.

 You missed the point, Tom. To a retired person a $100 bill is a serious
 amount of eating that has to be traded off with it. If that cannot be
 afforded without sacrifice then it might as well not exist as an option.
 That is the difference that makes no practical difference.

 The Microsoft extension to the issue is essentially the locked cellphone
 situation under which I could not code up any new assistive technology
 for myself and use it. It becomes me paying to have Microsoft own my
 device. And I'd have to pay them to use my own work on a machine I have
 every right to regard as my own machine.

 If Linux is going to systematically support that kind of a model in any
 way, I'm outahere.

You're outahere to where?! As long as you can turn off SB, you're OK
using whatever you want to use. If we get to a point where we can't
turn off SB on x86, you'll have to use a non-x86, non-ARM processor.

I didn't consider the USD 99 because I didn't think it relevant.
Compiling your own SB-compatible kernel's a luxury. Your computer
isn't non-functional without doing so.

Anyway, I found out today that my SB knowledge's out of date. The shim
now supports MOKs (Machine Owner Keys) and is distributed with a
MokManager program. So you can generate keys with openssl, sign your
EFI binaries with them, and enroll your MOK certificate with
MokManager.

Re: [SCIENTIFIC-LINUX-USERS] Installing on a new laptop

[Yasha Karant]

On 03/02/2013 08:09 PM, jdow wrote:

On 2013/03/02 15:18, Tom H wrote:

On Fri, Mar 1, 2013 at 11:15 PM, jdow j...@earthlink.net wrote:

On 2013/03/01 09:26, Tom H wrote:

On Thu, Feb 28, 2013 at 7:08 PM, jdow j...@earthlink.net wrote:

On 2013/02/28 11:56, Tom H wrote:

On Thu, Feb 28, 2013 at 2:38 PM, Robert Blair r...@anl.gov wrote:

On 02/28/2013 01:35 PM, Tom H wrote:


I wouldn't be surprised if SB became un-disable-able in the next
few years. We'd then have to use an MS-signed shim to boot, as is
now the case with the default Fedora and Ubuntu SB setups.


Maybe I've missed something here. If a generic MS signed shim is
available what value does this add? Wouldn't such a shim make
booting
anything alternative possible?


I'm sorry. It's not as generic as I made it look. AIUI, the shim is a
basic stage 1 (or maybe stage 0.5) bootloader whose signature's
validated against an MS key in the computer's ROM. Grub and the
kernel
(and its modules in Fedora's case but not in Ubuntu's) are then
validated against a Fedora key in the shim.


Which is the end of compiling your own code.


You mean compiling your own kernel without spending a one-time fee
of USD
99.


A difference which makes no practical difference is no difference at
all.


Of course there's a difference. It's grub and the kernel and its
modules that you can't compile without signing.


You missed the point, Tom. To a retired person a $100 bill is a serious
amount of eating that has to be traded off with it. If that cannot be
afforded without sacrifice then it might as well not exist as an option.
That is the difference that makes no practical difference.

The Microsoft extension to the issue is essentially the locked cellphone
situation under which I could not code up any new assistive technology
for myself and use it. It becomes me paying to have Microsoft own my
device. And I'd have to pay them to use my own work on a machine I have
every right to regard as my own machine.

If Linux is going to systematically support that kind of a model in any
way, I'm outahere.

{^_^}


Linux or any open systems approach is not the issue.  Microsoft is a 
monopoly and has been able to impose this upon the hardware vendors or 
it will not allow the vendors to offer MS Win 8.  Unfortunately, the 
market will not be able to affect any change within any reasonable time 
interval unless Microsoft removes this restrictive covenant -- which is 
not likely as Microsoft has imposed this approach for maintaining the 
monopoly.  The only choice, libertarianism aside, is for governments to 
intervene, just as MS Win had to be offered to consumers with a 
different footprint in the EU compared to the USA (both had found 
Microsoft to be a monopoly, but the USA put no effective remedy into 
place).  Note that the imposed change has little if any effect upon 
security -- but might prevent unlicensed (pirated) copies of MS Win 8 
from booting.  I presume that the PRC internally will break this 
imposition -- but I doubt that such PRC machines will either be common 
or desireable (except within the PRC where solution will be imposed).

Re: Installing on a new laptop

[zxq9]

On 03/02/2013 03:34 AM, Konstantin Olchanski wrote:

...GNU Hurd (vaporware).


Not vaporware. But the two consumer-end distros based on it are still in 
Alpha. Of course one of them (Arch) is perpetually in Alpha and the 
other (Debian) is perpetually frozen in its release schedule, so I don't 
know that this is really any different than their Linux variants...


http://www.archhurd.org/

http://www.debian.org/ports/hurd/

Arch Hurd has a liveCD out for x86, I don't think Debian is that far 
along yet.


This won't change the world, in any case, because it doesn't affect how 
the masses access their email, media or games.

Re: Installing on a new laptop

[zxq9]

On 02/27/2013 04:20 AM, Paul Robert Marino wrote:

I have an X120e as well and simply changing the hard drive doesn't fix
the eufi issue.
the first answer to this string is correct with two cavorts RedHat got
two signed certs one fro RHEL and the other for Fedora. apparently the
process was a nightmare but they will work with secure boot. for that
reason I run fedora as my primary os on my laptop and if i have to do
any Scientific Linux testing I run it in a VM
(and yes an AMD fusion chip can runs a single VM surprisingly well)..


We supply our customers with Linux and dual-boot systems, and recently 
have run headlong into the UEFI madness. Any new consumer-grade x86 
system will have an escape key on boot that gets you into setup the same 
way old BIOS-based boards did (this can be tricky with keyboardless 
tablets -- sometimes a USB keyboard can work, sometimes its just plain 
random like pressing a volume button or something). The weird part with 
UEFI is that the key is hidden, non-standard between makers -- even 
different between board models, never announced on the boot screen, has 
an amazingly short activation window (usually 1 second), and (so far in 
our experience) never mentioned in any vendor documentation other than 
(occasionally) Toshiba laptop manuals. We've resorted to playing F-key 
piano within when testing new models. Silly, but it often works.


Within the UEFI setup there will be an option for enabling UEFI or 
CRM and changing the boot source order. CRM indicates a BIOS-style 
boot and works with anything BIOS booting did. UEFI is, of course, UEFI, 
and requires a key. There is supposedly a way to insert your own key 
into the UEFI registry so that you can sign your own bootloaders, but 
I've seen zero evidence of this myself.


Its almost like someone is trying to kill off the smaller OS and 
hardware vendors and make corporate IT into an Old Boys' club again -- 
but such a sweeping conspiracy would have raised an outcry somewhere...?


There is a silver lining. The board makers themselves are out to sell 
boards and laptops and tablets and can be reasoned with. My company is 
an extremely small player in the hardware field but we've had positive 
response from vendors when inquiring about having our own keys included 
on boards alongside Microsoft's when doing bulk orders. We haven't had 
to go that route yet so I'm unsure how much of a pain that would 
actually be to manage (doesn't appear much more difficult than managing 
repository keys though, for example), but this leaves the door open for 
even tiny computing companies and larger IT departments to arrange for 
their own secure boot keys to be pre-installed by the board 
manufacturers and not violate Microsoft's requirements, even on ARM. 
That said, since we don't do showroom marketing anyway neither we nor 
our suppliers have a need to put little Windows8 Ready stickers on 
anything they ship to us anyway.


From a security perspective it is important to note that physical 
access to a system still equates to compromise and UEFI can't do 
anything to prevent that. It is also interesting to note that as we've 
thought through security compromise based on the boot cycle, leaving the 
Windows key alongside our key leaves a door open for someone to write 
malware that is based on a valid version of Windows that runs the real 
system in a VM anyway, and there isn't a clean way out of that.


Blah blah blah. My point is that there is a possibility for OS 
suppliers/providers to provide their own UEFI keys because board makers 
are willing to play ball (so far). This does require, however, that at 
the smaller level OS and hardware vendors have to merge or coordinate 
somewhat in practice -- but as we've found over the last few years, when 
you do the software you start wanting to do the hardware, too, so it 
works out. The downside is that unless you're already established or 
have the investment backing required to maintain an entire OS yourself 
it will be pretty much impossible to start a non-Windows computing 
company from here on out


If we sensed much demand for consumer-end (as in, personal, not 
business) systems running $distro then we'd probably jump on the chance 
to run our own UEFI-based program -- but we're troubled by the idea that 
doing so would lock buyers of our hardware into $distro (or at least our 
bootloader, depending on how things were set up) the same way MS has 
done, and that isn't really something we see as a competitive advantage 
in a market niche loaded with hordes of people who want to/need to try 
out different things on their own. Tricky.


-z

Re: Installing on a new laptop

[Konstantin Olchanski]

On Tue, Feb 26, 2013 at 11:46:11AM -0600, Connie Sieh wrote:
 
 If a i386/x86_64 laptop is certified for the Windows 8 logo then
 it has to have secure boot enabled in the bios(uefi) by default as
 required by Microsoft.  Secure boot requires a 'signed by microsoft'
 program to boot. But the bios(uefi) is REQUIRED to have a method to
 turn off the secure boot option and thus not require a microsoft
 signed os.


Is all this still theoretical? I have not seen any recent laptops,
but on recent desktop mobos (from ASUS), indeed, in the BIOS setup,
I see the button to enable secure boot. This button is off by default,
Linux boots just fine.

So is there an issue bigger than having to go into the BIOS setup
to turn off secure boot?

In other news, when people ask me which Linux laptop to buy?, I tell
them to buy a Mac. For all practical purposes MacOS acts as a funny Linux,
the main difference being that all the hardware and software actually
does works as advertised. (That does cost you a few extra $$$, of course).

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

Re: Installing on a new laptop

[Scott Gates]

Until I can afford it, It's theoretical.  Hoping to hear in a week if
I got a major real job, then it'll not only move from
theoretical--it'll move to NECESSARY.

On Wed, Feb 27, 2013 at 6:14 PM, Konstantin Olchanski
olcha...@triumf.ca wrote:
 On Tue, Feb 26, 2013 at 11:46:11AM -0600, Connie Sieh wrote:

 If a i386/x86_64 laptop is certified for the Windows 8 logo then
 it has to have secure boot enabled in the bios(uefi) by default as
 required by Microsoft.  Secure boot requires a 'signed by microsoft'
 program to boot. But the bios(uefi) is REQUIRED to have a method to
 turn off the secure boot option and thus not require a microsoft
 signed os.


 Is all this still theoretical? I have not seen any recent laptops,
 but on recent desktop mobos (from ASUS), indeed, in the BIOS setup,
 I see the button to enable secure boot. This button is off by default,
 Linux boots just fine.

 So is there an issue bigger than having to go into the BIOS setup
 to turn off secure boot?

 In other news, when people ask me which Linux laptop to buy?, I tell
 them to buy a Mac. For all practical purposes MacOS acts as a funny Linux,
 the main difference being that all the hardware and software actually
 does works as advertised. (That does cost you a few extra $$$, of course).

 --
 Konstantin Olchanski
 Data Acquisition Systems: The Bytes Must Flow!
 Email: olchansk-at-triumf-dot-ca
 Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

Re: Installing on a new laptop

[Paul Robert Marino]

I have an X120e as well and simply changing the hard drive doesn't fix
the eufi issue.
the first answer to this string is correct with two cavorts RedHat got
two signed certs one fro RHEL and the other for Fedora. apparently the
process was a nightmare but they will work with secure boot. for that
reason I run fedora as my primary os on my laptop and if i have to do
any Scientific Linux testing I run it in a VM
(and yes an AMD fusion chip can runs a single VM surprisingly well)..


On Tue, Feb 26, 2013 at 2:04 PM, Ken Teh t...@anl.gov wrote:
 I never boot a new laptop into Windows.  I replace the original hard drive
 with a new one and install Linux on it.  This way I can put the original
 disk
 back in and never void my warranty.  You can then even sell it in its
 original state.

 Of course, this works only if you don't plan to use Windows.

 I use a $500 Lenovo X120e netbook.



 On 02/26/2013 11:26 AM, Scott_Gates wrote:

 OK, If I needed a desktop, I'd just roll my own. Probably starting with

 something bare-bones from TigerDirect.

 I'm thinking of buying a new laptop, rather than just recycling old ones,

 like I have been.

 I have HEARD there are issues with trying to install on computers with

 Windows8 already installed--the only source I have of CHEAP laptops.

 Basically a Wal-mart or Best-buy boxes that I can get in the $250-$400 ra
 nge.

 Does anybody have experience with this?  Yeah, I know I'll be Voiding the

 Warranty--but, I need a laptop for real work--not socializing or net
 flicking.  You know what I mean.

Re: Installing on a new laptop

[Connie Sieh]

On Tue, 26 Feb 2013, Yasha Karant wrote:


My understanding is that if the machine is licensed for MS Windows, then
the release and version for which it is so licensed can legally be run
under VirtualBox (or the equivalent):  Linux as the host OS, VirtualBox,
and then a fresh install from media of the licensed MS Windows.  I do
however, in most cases, remove the original works formatted MS Windows
hard drive for the same purpose mentioned below.

Will VirtualBox run MS Win 8 assuming the eufi issue can be solved for
the host OS?


The choices are either turn secure boot off or run a os/bootloader that 
has a signature that uefi knows about(Microsoft).  This assumes a uefi 
only i386/x86_64 motherboard.  The uefi is more complicated but at least 
there is a way to turn off secure boot.


Note that the Linux Foundation is sponsoring a effort to create a signed 
boot loader.  I do not think that TUV is planning on using this .


No speak vmware.

-Connie Sieh
 

At present, I am running SL 6x with VirtualBox running MS Win 7 -- and
dread having to do to MS Win 8 and all of the eufi nonsense --
particularly if I get a new laptop.

Yasha Karant

On 02/26/2013 11:04 AM, Ken Teh wrote:

I never boot a new laptop into Windows.  I replace the original hard drive
with a new one and install Linux on it.  This way I can put the original
disk
back in and never void my warranty.  You can then even sell it in its
original state.

Of course, this works only if you don't plan to use Windows.

I use a $500 Lenovo X120e netbook.


On 02/26/2013 11:26 AM, Scott_Gates wrote:

OK, If I needed a desktop, I'd just roll my own. Probably starting with

something bare-bones from TigerDirect.

I'm thinking of buying a new laptop, rather than just recycling old ones,

like I have been.

I have HEARD there are issues with trying to install on computers with

Windows8 already installed--the only source I have of CHEAP laptops.

Basically a Wal-mart or Best-buy boxes that I can get in the $250-$400 ra
nge.

Does anybody have experience with this?  Yeah, I know I'll be Voiding the

Warranty--but, I need a laptop for real work--not socializing or net
flicking.  You know what I mean.