subject:"UEFI SL 6x boot"

Re: UEFI SL 6x boot

2013-09-23 Thread Connie Sieh


On Mon, 23 Sep 2013, Yasha Karant wrote:


A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE on a
machine with a new generic (aftermarket) "gamer" UEFI  X86-64
motherboard.  It does not properly boot.  I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.


Is "secure boot" enabled in the UEFI ?



Does anyone?  Does SL6x boot correctly (and easily) on a UEFI
motherboard?  If so, he may switch to SL.


Yes as long as "secure boot" is disabled .



Yasha Karant



-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Yasha Karant

Secure boot is enabled.  Evidently, the only means to disable secure 
boot requires that a secure boot loader/configuration program be running 
-- e.g., the MS proprietary boot loader (typically, supplied as part of 
MS Windows 8) must be used to disable secure boat if the UEFI actually 
permits this to be disabled (I have heard of some UEFI implementations 
that do not permit secure boot truly to be disabled).


If Linux cannot handle this issue, then Linux is finished on all generic 
(e.g., not Apple that supplies both the hardware and operating 
environment software under a restrictive proprietary for-profit 
intellectual property license) X86-64 hardware, as (almost?) all current 
such hardware is MS 8 (UEFI secure boot) compliant.


Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:


A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE on a
machine with a new generic (aftermarket) "gamer" UEFI  X86-64
motherboard.  It does not properly boot.  I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.


Is "secure boot" enabled in the UEFI ?



Does anyone?  Does SL6x boot correctly (and easily) on a UEFI
motherboard?  If so, he may switch to SL.


Yes as long as "secure boot" is disabled .



Yasha Karant



-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Yasha Karant

See: 
http://www.maketecheasier.com/disable-secure-boot-in-windows-8/2013/02/25


from which:

7. Once the computer starts up, you’ll need to access your BIOS. To do 
it, you have to press “Delete,” “F1,” or “F2″, depending on your 
computer, on your keyboard as soon as the computer begins its power-on 
process again. Try each one and see if it works. Usually, the key is 
revealed at the startup splash screen in a message that says “Press 
 to Enter Setup.”


Note: Each BIOS configuration utility is different. You’ll have to 
intuitively navigate through the interface with my vague directions.


Note: You might not even find a secure boot option anywhere. You might 
not even find an option under “Security.” The below image shows the 
option as “UEFI Boot” under the “Boot” menu. Keep your eyes peeled for 
anything containing the words “Secure boot” and “UEFI.”


As can be seen, the ability to disable the secure boot is determined by 
the hardware (mainly the BIOS). While our hardware allowed us to disable 
the secure boot feature, that doesn’t means your hardware is the same. 
You will have to play with it and hope that it comes with the ability to 
unlock the secure boot.


End quotes.
On 09/24/2013 08:53 AM, Yasha Karant wrote:

Secure boot is enabled.  Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all current
such hardware is MS 8 (UEFI secure boot) compliant.

Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:


A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE on a
machine with a new generic (aftermarket) "gamer" UEFI  X86-64
motherboard.  It does not properly boot.  I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.


Is "secure boot" enabled in the UEFI ?



Does anyone?  Does SL6x boot correctly (and easily) on a UEFI
motherboard?  If so, he may switch to SL.


Yes as long as "secure boot" is disabled .



Yasha Karant



-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Connie Sieh


On Tue, 24 Sep 2013, Yasha Karant wrote:


Secure boot is enabled.  Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).


If the system is Windows 8 logo compatible and is x86_4 then a way to 
disable "secure boot" must be provided by the hardware vendor.  This is 
commonly done via a option in the "bios".  This requirement is part of the 
"microsoft windows 8 logo requirements".  Note the method of disabling is 
not defined by the UEFI spec.  So each vendor may do it differently.


The only hardware that does not permit "secure boot" to be disabled is arm 
based Windows.  The Windows logo requirements at at work here.


 >

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all current
such hardware is MS 8 (UEFI secure boot) compliant.



At the moment Fedora, SuSE , Ubuntu all can handle "secure boot".  It is 
expected that RHEL 7 will also handle it.  It is also possible to "sign" 
your own kernel and place your keys in the "bios".


-connie


Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:


A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE on a
machine with a new generic (aftermarket) "gamer" UEFI  X86-64
motherboard.  It does not properly boot.  I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.


Is "secure boot" enabled in the UEFI ?



Does anyone?  Does SL6x boot correctly (and easily) on a UEFI
motherboard?  If so, he may switch to SL.


Yes as long as "secure boot" is disabled .



Yasha Karant



-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Yasha Karant

This thread started because my colleague is using SuSE and tried Ubuntu 
-- and both failed to secure boot properly from the generic hardware to 
which he upgraded.  This failure prompted a question about SL (as a 
no-fee option for a TUV enterprise, commercial, supported, production 
Linux base).


Evidently, the current answer for SL is that it is not UEFI Secure Boot 
enabled, and SL 6x cannot reliably be installed upon such systems -- 
depending upon the quirks (or proprietary generosity) of the actual BIOS 
supplier.


Yasha Karant

On 09/24/2013 09:04 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:


Secure boot is enabled.  Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).


If the system is Windows 8 logo compatible and is x86_4 then a way to
disable "secure boot" must be provided by the hardware vendor.  This is
commonly done via a option in the "bios".  This requirement is part of
the "microsoft windows 8 logo requirements".  Note the method of
disabling is not defined by the UEFI spec.  So each vendor may do it
differently.

The only hardware that does not permit "secure boot" to be disabled is
arm based Windows.  The Windows logo requirements at at work here.

  >

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all current
such hardware is MS 8 (UEFI secure boot) compliant.



At the moment Fedora, SuSE , Ubuntu all can handle "secure boot".  It is
expected that RHEL 7 will also handle it.  It is also possible to "sign"
your own kernel and place your keys in the "bios".

-connie


Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:


A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE
on a
machine with a new generic (aftermarket) "gamer" UEFI  X86-64
motherboard.  It does not properly boot.  I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.


Is "secure boot" enabled in the UEFI ?



Does anyone?  Does SL6x boot correctly (and easily) on a UEFI
motherboard?  If so, he may switch to SL.


Yes as long as "secure boot" is disabled .



Yasha Karant



-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Mark Stodola


That is correct, SL and TUV do not support secure boot at this time.

This link is a year old, and I am sure more support it by now, but:
http://mjg59.dreamwidth.org/20522.html

I'm sure a more up to date list can be found with moderate searching.


On 09/24/2013 11:46 AM, Yasha Karant wrote:

This thread started because my colleague is using SuSE and tried Ubuntu
-- and both failed to secure boot properly from the generic hardware to
which he upgraded. This failure prompted a question about SL (as a
no-fee option for a TUV enterprise, commercial, supported, production
Linux base).

Evidently, the current answer for SL is that it is not UEFI Secure Boot
enabled, and SL 6x cannot reliably be installed upon such systems --
depending upon the quirks (or proprietary generosity) of the actual BIOS
supplier.

Yasha Karant

On 09/24/2013 09:04 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:


Secure boot is enabled. Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).


If the system is Windows 8 logo compatible and is x86_4 then a way to
disable "secure boot" must be provided by the hardware vendor. This is
commonly done via a option in the "bios". This requirement is part of
the "microsoft windows 8 logo requirements". Note the method of
disabling is not defined by the UEFI spec. So each vendor may do it
differently.

The only hardware that does not permit "secure boot" to be disabled is
arm based Windows. The Windows logo requirements at at work here.

>

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all current
such hardware is MS 8 (UEFI secure boot) compliant.



At the moment Fedora, SuSE , Ubuntu all can handle "secure boot". It is
expected that RHEL 7 will also handle it. It is also possible to "sign"
your own kernel and place your keys in the "bios".

-connie


Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:


A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE
on a
machine with a new generic (aftermarket) "gamer" UEFI X86-64
motherboard. It does not properly boot. I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.


Is "secure boot" enabled in the UEFI ?



Does anyone? Does SL6x boot correctly (and easily) on a UEFI
motherboard? If so, he may switch to SL.


Yes as long as "secure boot" is disabled .



Yasha Karant



-connie sieh





--
Mr. Mark V. Stodola
Senior Control Systems Engineer

National Electrostatics Corp.
P.O. Box 620310
Middleton, WI 53562-0310 USA
Phone: (608) 831-7600
Fax: (608) 831-9591

Re: UEFI SL 6x boot

2013-09-24 Thread Connie Sieh

On Tue, 24 Sep 2013, Yasha Karant wrote:

This thread started because my colleague is using SuSE and tried Ubuntu
-- and both failed to secure boot properly from the generic hardware to
which he upgraded. This failure prompted a question about SL (as a
no-fee option for a TUV enterprise, commercial, supported, production
Linux base).

Evidently, the current answer for SL is that it is not UEFI Secure Boot
enabled, and SL 6x cannot reliably be installed upon such systems --
depending upon the quirks (or proprietary generosity) of the actual BIOS
supplier.

OpenSuSE supports "secure boot" not SuSE as I stated earlier.

I am sure it is only "recent" versions of OpenSuSE, Fedora and Ubuntu that
support 'secure boot".

See the following for more info. In particular pages 12 and 17. There
are references to youtube videos on page 18 showing Windows 8 dual booting
with Ubuntu 12.10 .

http://events.linuxfoundation.org/sites/events/files/slides/LinuxConUEFIandLinuxBresniker.pdf

It is efi compliant. If the bios vendor does not allow "secure boot" to
be turned off then one should "converse" with said vendor.

-connie sieh

Yasha Karant

On 09/24/2013 09:04 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:

Secure boot is enabled. Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).

If the system is Windows 8 logo compatible and is x86_4 then a way to
disable "secure boot" must be provided by the hardware vendor. This is
commonly done via a option in the "bios". This requirement is part of
the "microsoft windows 8 logo requirements". Note the method of
disabling is not defined by the UEFI spec. So each vendor may do it
differently.

The only hardware that does not permit "secure boot" to be disabled is
arm based Windows. The Windows logo requirements at at work here.

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all current
such hardware is MS 8 (UEFI secure boot) compliant.

At the moment Fedora, SuSE , Ubuntu all can handle "secure boot". It is
expected that RHEL 7 will also handle it. It is also possible to "sign"
your own kernel and place your keys in the "bios".

-connie

Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:

A colleague who uses SuSE non-enterprise for his professional
(enterprise) workstations has now attempted to load the latest SuSE
on a
machine with a new generic (aftermarket) "gamer" UEFI X86-64
motherboard. It does not properly boot. I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.

Is "secure boot" enabled in the UEFI ?

Does anyone? Does SL6x boot correctly (and easily) on a UEFI
motherboard? If so, he may switch to SL.

Yes as long as "secure boot" is disabled .

Yasha Karant

-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Yasha Karant

To be specific, my colleague is using the licensed-for-free binary
download of current OpenSuSE that nominally supports UEFI Secure Boot --
and it does not work in fact on the hardware he has. He did experiment
with a licensed copy of MS Win 8, and it would install on the same
platform without this issue (but absolutely is not what he wants or is
willing to use as a primary -- non-Virtual-Box running under -- OS.

On 09/24/2013 09:55 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:

OpenSuSE supports "secure boot" not SuSE as I stated earlier.

I am sure it is only "recent" versions of OpenSuSE, Fedora and Ubuntu
that support 'secure boot".

See the following for more info. In particular pages 12 and 17. There
are references to youtube videos on page 18 showing Windows 8 dual
booting with Ubuntu 12.10 .

http://events.linuxfoundation.org/sites/events/files/slides/LinuxConUEFIandLinuxBresniker.pdf

It is efi compliant. If the bios vendor does not allow "secure boot" to
be turned off then one should "converse" with said vendor.

-connie sieh

Yasha Karant

On 09/24/2013 09:04 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:

Secure boot is enabled. Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be
running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).

The only hardware that does not permit "secure boot" to be disabled is
arm based Windows. The Windows logo requirements at at work here.

If Linux cannot handle this issue, then Linux is finished on all
generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all
current
such hardware is MS 8 (UEFI secure boot) compliant.

At the moment Fedora, SuSE , Ubuntu all can handle "secure boot". It is
expected that RHEL 7 will also handle it. It is also possible to "sign"
your own kernel and place your keys in the "bios".

-connie

Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:

Is "secure boot" enabled in the UEFI ?

Does anyone? Does SL6x boot correctly (and easily) on a UEFI
motherboard? If so, he may switch to SL.

Yes as long as "secure boot" is disabled .

Yasha Karant

-connie sieh

Re: UEFI SL 6x boot

2013-09-24 Thread Nico Kadel-Garcia

Down, boy.

Scientific Linux is behind the times on available tools, because our
favorite upstream vendor has not yet released tools. Tools to work with
have been tested, effectively, with Fedora, and I expect our favorite
upstream vendor will include tools with release 7.x, which is not yet in
alpha or beta release. Check out
http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.htmlfor
a good breakdown of the issues and trade-offs.

UEFI is part of the old "Palladium" project from Microsoft, relabeled as
"Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
security, for reasons that I could spend a whole day discussing.In the
meantime, yes, you can disalbe it for SL booting if needed, and reasonably
expect our favorite upstream vendor to have shims available when version 7
is publishedL they're already working well with recent Fedora releases. I'd
also *expect* those shims to be workable for SL 7, but someone may have to
plunk down some cash to get some keys signed, and spend some extra effort
to maintain the security needed for the relevant shims to work well with SL
kernels and environments.

On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant  wrote:

> Secure boot is enabled.  Evidently, the only means to disable secure boot
> requires that a secure boot loader/configuration program be running --
> e.g., the MS proprietary boot loader (typically, supplied as part of MS
> Windows 8) must be used to disable secure boat if the UEFI actually permits
> this to be disabled (I have heard of some UEFI implementations that do not
> permit secure boot truly to be disabled).
>
> If Linux cannot handle this issue, then Linux is finished on all generic
> (e.g., not Apple that supplies both the hardware and operating environment
> software under a restrictive proprietary for-profit intellectual property
> license) X86-64 hardware, as (almost?) all current such hardware is MS 8
> (UEFI secure boot) compliant.
>
> Yasha Karant
>
> On 09/23/2013 10:29 PM, Connie Sieh wrote:
>
>> On Mon, 23 Sep 2013, Yasha Karant wrote:
>>
>>  A colleague who uses SuSE non-enterprise for his professional
>>> (enterprise) workstations has now attempted to load the latest SuSE on a
>>> machine with a new generic (aftermarket) "gamer" UEFI  X86-64
>>> motherboard.  It does not properly boot.  I do not have any UEFI
>>> motherboards, and thus no experience with SL6x on such motherboards.
>>>
>>
>> Is "secure boot" enabled in the UEFI ?
>>
>>
>>> Does anyone?  Does SL6x boot correctly (and easily) on a UEFI
>>> motherboard?  If so, he may switch to SL.
>>>
>>
>> Yes as long as "secure boot" is disabled .
>>
>>
>>> Yasha Karant
>>>
>>>
>> -connie sieh
>>
>

Re: UEFI SL 6x boot

2013-09-24 Thread Connie Sieh

On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:

--001a11c379ecc5abcb04e7297e9d
Content-Type: text/plain; charset="ISO-8859-1"

Down, boy.

Scientific Linux is behind the times on available tools, because our
favorite upstream vendor has not yet released tools. Tools to work with
have been tested, effectively, with Fedora, and I expect our favorite
upstream vendor will include tools with release 7.x, which is not yet in
alpha or beta release. Check out
http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.htmlfor
a good breakdown of the issues and trade-offs.

UEFI is part of the old "Palladium" project from Microsoft, relabeled as
"Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
security, for reasons that I could spend a whole day discussing.In the
meantime, yes, you can disalbe it for SL booting if needed, and reasonably
expect our favorite upstream vendor to have shims available when version 7
is publishedL they're already working well with recent Fedora releases. I'd
also *expect* those shims to be workable for SL 7, but someone may have to
plunk down some cash to get some keys signed, and spend some extra effort
to maintain the security needed for the relevant shims to work well with SL
kernels and environments.

Last week at LinuxCon North America the shim developers were still
developing.

I attended the UEFI Plugfest last week as part of Linux Con.
Microsoft gave a presentation on UEFI signing. The
presentation will be posted to uefi.org website.

We are working on this. Fermilab is a member of the UEFI forum .

-Connie Sieh

On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant wrote:

Secure boot is enabled. Evidently, the only means to disable secure boot
requires that a secure boot loader/configuration program be running --
e.g., the MS proprietary boot loader (typically, supplied as part of MS
Windows 8) must be used to disable secure boat if the UEFI actually permits
this to be disabled (I have heard of some UEFI implementations that do not
permit secure boot truly to be disabled).

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating environment
software under a restrictive proprietary for-profit intellectual property
license) X86-64 hardware, as (almost?) all current such hardware is MS 8
(UEFI secure boot) compliant.

Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:

A colleague who uses SuSE non-enterprise for his professional

(enterprise) workstations has now attempted to load the latest SuSE on a
machine with a new generic (aftermarket) "gamer" UEFI X86-64
motherboard. It does not properly boot. I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.

Is "secure boot" enabled in the UEFI ?

Does anyone? Does SL6x boot correctly (and easily) on a UEFI
motherboard? If so, he may switch to SL.

Yes as long as "secure boot" is disabled .

Yasha Karant

-connie sieh

--001a11c379ecc5abcb04e7297e9d
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

Down, boy.Scientific Linux is=
behind the times on available tools, because our favorite upstream vendor =
has not yet released tools. Tools to work with have been tested, effectivel=
y, with Fedora, and I expect our favorite upstream vendor will include tool=
s with release 7.x, which is not yet in alpha or beta release. Check out http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Sec=
ure_Boot_Guide/index.html">http://docs.fedoraproject.org/en-US/Fedora/18/ht=
ml-single/UEFI_Secure_Boot_Guide/index.html for a good breakdown of the=
issues and trade-offs.
UEFI is part of the old "Palladium" project from Micros=
oft, relabeled as "Trusted Computing". It is aimed squarely at DR=
M and vendor lock-in, not security, for reasons that I could spend a whole =
day discussing.In the meantime, yes, you can disalbe it for SL booting if n=
eeded, and reasonably expect our favorite upstream vendor to have shims ava=
ilable when version 7 is publishedL they're already working well with r=
ecent Fedora releases. I'd also *expect* those shims to be workable for=
SL 7, but someone may have to plunk down some cash to get some keys signed=
, and spend some extra effort to maintain the security needed for the relev=
ant shims to work well with SL kernels and environments.
O=
n Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant ykar...@csusb.edu> wrote:
Secure boot is enabled. =A0Evidently, the on=
ly means to disable secure boot requires that a secure boot loader/configur=
ation program be running -- e.g., the MS proprietary boot loader (typically=
, supplied as part of MS Windows 8) must be used to disable secure boat if =
the UEFI actually permits this to be disabled (I have heard of some UEFI im=
plementations that do not pe

Re: UEFI SL 6x boot

2013-09-24 Thread Yasha Karant

Let me see if I understand the current situation. This question was
prompted by the question of a colleague attempting to use OpenSuSE (not
SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
booted running operating environment. The colleague wondered if SL
would fare better.

Depending upon the particular BIOS or BIOS equivalent, using MS Windows
8, it may be possible to disable Secure Boot and allow for SL to be
booted. Secure Boot, and many other technologies put forward by,
through, or under the auspices of the monopoly primarily exist to move
forward the market share, return on investment, and general economic
wealth of the monopoly (not a surprise in oligopolistic non-market
economics).

SL with Fermilab participation is participating in projects that will
allow SL to boot on UEFI Secure Boot hardware without the use of any
monopoly operating environment software or applications -- Microsoft not
required. Presumably, TUV is participating as well as TUV
supported-for-fee environments must be able to reliably boot and run on
UEFI Secure Boot platforms without the use of monopoly software to
enable the booting process. Apple is not a matter for discussion
because Apple provides the entire hardware and software package, and
does not allow the use of MacOS on non-Apple hardware platforms.
Presumably VirtualBox and other means to allow MS Windows to run as a
guest environment has or will have some means to provide UEFI Secure
Boot to MS Windows guests requiring such.

At present, there is no production Linux that will reliably run on all
hardware platforms that use UEFI Secure Boot, but only MS Windows
envirnoments will do so on any hardware platform that proclaims
compliance with the monopoly ("certification").

Is the above substantially correct as of this instant?

Yasha Karant

On 09/24/2013 04:40 PM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:

--001a11c379ecc5abcb04e7297e9d
Content-Type: text/plain; charset="ISO-8859-1"

Down, boy.

a good breakdown of the issues and trade-offs.

UEFI is part of the old "Palladium" project from Microsoft, relabeled as
"Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
security, for reasons that I could spend a whole day discussing.In the
meantime, yes, you can disalbe it for SL booting if needed, and
reasonably
expect our favorite upstream vendor to have shims available when
version 7
is publishedL they're already working well with recent Fedora
releases. I'd
also *expect* those shims to be workable for SL 7, but someone may
have to
plunk down some cash to get some keys signed, and spend some extra effort
to maintain the security needed for the relevant shims to work well
with SL
kernels and environments.

Last week at LinuxCon North America the shim developers were still
developing.

I attended the UEFI Plugfest last week as part of Linux Con. Microsoft
gave a presentation on UEFI signing. The presentation will be posted to
uefi.org website.

We are working on this. Fermilab is a member of the UEFI forum .

-Connie Sieh

On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant wrote:

Secure boot is enabled. Evidently, the only means to disable secure
boot
requires that a secure boot loader/configuration program be running --
e.g., the MS proprietary boot loader (typically, supplied as part of MS
Windows 8) must be used to disable secure boat if the UEFI actually
permits
this to be disabled (I have heard of some UEFI implementations that
do not
permit secure boot truly to be disabled).

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment
software under a restrictive proprietary for-profit intellectual
property
license) X86-64 hardware, as (almost?) all current such hardware is MS 8
(UEFI secure boot) compliant.

Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:

A colleague who uses SuSE non-enterprise for his professional

(enterprise) workstations has now attempted to load the latest SuSE
on a
machine with a new generic (aftermarket) "gamer" UEFI X86-64
motherboard. It does not properly boot. I do not have any UEFI
motherboards, and thus no experience with SL6x on such motherboards.

Is "secure boot" enabled in the UEFI ?

Does anyone? Does SL6x boot correctly (and easily) on a UEFI
motherboard? If so, he may switch to SL.

Yes as long as "secure boot" is disabled .

Yasha Karant

-connie sieh

--001a11c3

Re: UEFI SL 6x boot

2013-09-25 Thread Connie Sieh

On Tue, 24 Sep 2013, Yasha Karant wrote:

Depending upon the particular BIOS or BIOS equivalent, using MS Windows
8, it may be possible to disable Secure Boot and allow for SL to be

Using is not the "official status", it is "Windows 8 logo" use that
dictates secure boot. And if it is enabled then it is required to have a
way to disable it. Please give the vendors a chance with turning secure
boot off.

booted. Secure Boot, and many other technologies put forward by,
through, or under the auspices of the monopoly primarily exist to move
forward the market share, return on investment, and general economic
wealth of the monopoly (not a surprise in oligopolistic non-market
economics).

SL with Fermilab participation is participating in projects that will
allow SL to boot on UEFI Secure Boot hardware without the use of any

This is only planned for SL 7 as RHEL 7 is expected to have secure boot
ability.

monopoly operating environment software or applications -- Microsoft not
required. Presumably, TUV is participating as well as TUV
supported-for-fee environments must be able to reliably boot and run on
UEFI Secure Boot platforms without the use of monopoly software to
enable the booting process. Apple is not a matter for discussion
because Apple provides the entire hardware and software package, and
does not allow the use of MacOS on non-Apple hardware platforms.
Presumably VirtualBox and other means to allow MS Windows to run as a
guest environment has or will have some means to provide UEFI Secure
Boot to MS Windows guests requiring such.

Since the requirement is to be allowed to use the "windows 8 logo" not
sure that this would be a issue .

At present, there is no production Linux that will reliably run on all
hardware platforms that use UEFI Secure Boot

That is true if you include Windows ARM systems because of the inability
to disable "Secure Boot" . x86_64 systems are a work in progress.
Depends on your definition of "production Linux". Ubuntu 12.04.4 LTS
should work.

-Connie Sieh

but only MS Windows
envirnoments will do so on any hardware platform that proclaims
compliance with the monopoly ("certification").

Is the above substantially correct as of this instant?

Yasha Karant

On 09/24/2013 04:40 PM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:

--001a11c379ecc5abcb04e7297e9d
Content-Type: text/plain; charset="ISO-8859-1"

Down, boy.

a good breakdown of the issues and trade-offs.

UEFI is part of the old "Palladium" project from Microsoft, relabeled as
"Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
security, for reasons that I could spend a whole day discussing.In the
meantime, yes, you can disalbe it for SL booting if needed, and
reasonably
expect our favorite upstream vendor to have shims available when
version 7
is publishedL they're already working well with recent Fedora
releases. I'd
also *expect* those shims to be workable for SL 7, but someone may
have to
plunk down some cash to get some keys signed, and spend some extra effort
to maintain the security needed for the relevant shims to work well
with SL
kernels and environments.

Last week at LinuxCon North America the shim developers were still
developing.

I attended the UEFI Plugfest last week as part of Linux Con. Microsoft
gave a presentation on UEFI signing. The presentation will be posted to
uefi.org website.

We are working on this. Fermilab is a member of the UEFI forum .

-Connie Sieh

On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant wrote:

Secure boot is enabled. Evidently, the only means to disable secure
boot
requires that a secure boot loader/configuration program be running --
e.g., the MS proprietary boot loader (typically, supplied as part of MS
Windows 8) must be used to disable secure boat if the UEFI actually
permits
this to be disabled (I have heard of some UEFI implementations that
do not
permit secure boot truly to be disabled).

If Linux cannot handle this issue, then Linux is finished on all generic
(e.g., not Apple that supplies both the hardware and operating
environment
software under a restrictive proprietary for-profit intellectual
property
license) X86-64 hardware, as (almost?) all current such hardware is MS 8
(UEFI secure bo

Re: UEFI SL 6x boot

2013-09-25 Thread Connie Sieh

On Tue, 24 Sep 2013, Yasha Karant wrote:

Did your colleague discuss these issues with the "hardware vendor" to make
sure what he was doing was correct? Did he research/contact OpenSuSE
about his secure boot issues?

-connie sieh

On 09/24/2013 09:55 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:

OpenSuSE supports "secure boot" not SuSE as I stated earlier.

I am sure it is only "recent" versions of OpenSuSE, Fedora and Ubuntu
that support 'secure boot".

See the following for more info. In particular pages 12 and 17. There
are references to youtube videos on page 18 showing Windows 8 dual
booting with Ubuntu 12.10 .

http://events.linuxfoundation.org/sites/events/files/slides/LinuxConUEFIandLinuxBresniker.pdf

It is efi compliant. If the bios vendor does not allow "secure boot" to
be turned off then one should "converse" with said vendor.

-connie sieh

Yasha Karant

On 09/24/2013 09:04 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:

Secure boot is enabled. Evidently, the only means to disable secure
boot requires that a secure boot loader/configuration program be
running
-- e.g., the MS proprietary boot loader (typically, supplied as part of
MS Windows 8) must be used to disable secure boat if the UEFI actually
permits this to be disabled (I have heard of some UEFI implementations
that do not permit secure boot truly to be disabled).

The only hardware that does not permit "secure boot" to be disabled is
arm based Windows. The Windows logo requirements at at work here.

If Linux cannot handle this issue, then Linux is finished on all
generic
(e.g., not Apple that supplies both the hardware and operating
environment software under a restrictive proprietary for-profit
intellectual property license) X86-64 hardware, as (almost?) all
current
such hardware is MS 8 (UEFI secure boot) compliant.

At the moment Fedora, SuSE , Ubuntu all can handle "secure boot". It is
expected that RHEL 7 will also handle it. It is also possible to "sign"
your own kernel and place your keys in the "bios".

-connie

Yasha Karant

On 09/23/2013 10:29 PM, Connie Sieh wrote:

On Mon, 23 Sep 2013, Yasha Karant wrote:

Is "secure boot" enabled in the UEFI ?

Does anyone? Does SL6x boot correctly (and easily) on a UEFI
motherboard? If so, he may switch to SL.

Yes as long as "secure boot" is disabled .

Yasha Karant

-connie sieh

Re: UEFI SL 6x boot

2013-09-25 Thread Yasha Karant

I apologize for including the entire thread below to respond to just one 
point.


quoting:
Ubuntu 12.04.4 LTS should work.

End quote,

As I have not kept current on the Ubuntu (or Debian) Linux efforts, I do 
not know the status of the above release.  Assuming that it is a 
production release, supported for those who have an Ubuntu-compatible 
support contract, then my colleague did try it, and found it would not 
reliably work on the specific aftermarket generic motherboard he was 
attempting to use.  The specific board did work for MS Win 8 using UEFI 
Secure Boot ("the vendor lock-in" from a different post not from me), 
but not reliably with Ubuntu.  I will attempt to find out the specifics 
if there is interest; however, it was this effective failure that 
prompted the question to me (as a user/proponent of EL, and specifically 
SL as a professionally developed/deployed stable production environment 
capable of supporting "modern" applications, such as VirtualBox, on both 
servers and workstations including professional laptops).


The other issue is "waiting" for the vendors to "catch-up" and 
distribute truly UEFI Secure Boot compliant hardware (e.g., 
motherboard).  In the particular case of my colleague, he positively 
needed to change out the motherboard now (no time to wait).  No spare 
new motherboard of the type he needed was in local inventory, and thus 
he ordered a current production new motherboard from a major aftermarket 
generic motherboard manufacturer/vendor.  This new acquisition -- vital 
to maintain the production machines used to support our research effort 
-- was the reason for my first posting.  Note that we are a 
multi-distribution site even for research; although all of our research 
servers are SL (we retired our last BSD server last year) -- we allow 
any OS environment on a workstation supported by the researcher provided 
the OS and applications do not require proprietary protocols (thus, we 
require IETF, W3C, etc., operational compliance, using SMTP, IMAP, SSH 
with X, etc., protocols).  Almost all of the workstation systems are 
either some type of Linux or MacOS X.


Again, my apologies for the length -- is a snip within a reply 
appropriate for this list using the same subject line (same thread)?


Yasha Karant

On 09/25/2013 07:57 AM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Yasha Karant wrote:


Let me see if I understand the current situation. This question was
prompted by the question of a  colleague attempting to use OpenSuSE (not
SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
booted running operating environment.  The colleague wondered if SL
would fare better.

Depending upon the particular BIOS or BIOS equivalent, using MS Windows
8, it may be possible to disable Secure Boot and allow for SL to be


Using is not the "official status",  it is "Windows 8 logo" use that
dictates secure boot.  And if it is enabled then it is required to have
a way to disable it.  Please give the vendors a chance with turning
secure boot off.


booted.  Secure Boot, and many other technologies put forward by,
through, or under the auspices of the monopoly primarily exist to move
forward the market share, return on investment, and general economic
wealth of the monopoly (not a surprise in oligopolistic non-market
economics).

SL with Fermilab participation is participating in projects that will
allow SL to boot on UEFI Secure Boot hardware without the use of any


This is only planned for SL 7 as RHEL 7 is expected to have secure boot
ability.


monopoly operating environment software or applications -- Microsoft not
required.  Presumably, TUV is participating as well as TUV
supported-for-fee environments must be able to reliably boot and run on
UEFI Secure Boot platforms without the use of monopoly software to
enable the booting process.  Apple is not a matter for discussion
because Apple provides the entire hardware and software package, and
does not allow the use of MacOS on non-Apple hardware platforms.
Presumably VirtualBox and other means to allow MS Windows to run as a
guest environment has or will have some means to provide UEFI Secure
Boot to MS Windows guests requiring such.


Since the requirement is to be allowed to use the "windows 8 logo" not
sure that this would be a issue .



At present, there is no production Linux that will reliably run on all
hardware platforms that use UEFI Secure Boot


That is true if you include Windows ARM systems because of the inability
to disable "Secure Boot" .  x86_64 systems are a work in progress.
Depends on your definition of "production Linux".  Ubuntu 12.04.4 LTS
should work.


-Connie Sieh


but only MS Windows
envirnoments will do so on any hardware platform that proclaims
compliance with the monopoly ("certification").

Is the above substantially correct as of this instant?

Yasha Karant

On 09/24/2013 04:40 PM, Connie Sieh wrote:

On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:


--001a11c379ecc5abcb04e729

Re: UEFI SL 6x boot

2013-09-25 Thread Alan Bartlett

On 25 September 2013 16:35, Yasha Karant  wrote:
>



>
> Again, my apologies for the length -- is a snip within a reply appropriate
> for this list using the same subject line (same thread)?
>



Yes, most certainly.

Alan.

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

Re: UEFI SL 6x boot

15 matches

Site Navigation

Mail list logo

Footer information