I hope Slashdot has it wrong, although the presented documents seem to agree
http://linux.slashdot.org/story/12/05/31/190217/red-hat-will-pay-microsoft-to-get-past-uefi-restrictions
Looking up the article: "Implementing UEFI Secure Boot in Fedora" at
http://mjg59.dreamwidth.org/12368.
On 05/31/2012 01:15 PM, Javier Perez wrote:
If I have to pay $99 to Microsoft in order to install my Free/Open
Operating System...
Whatever gave you that idea? Whoever wants to get the bootloader signed
(either Fedora or RedHat) pays a one-time fee of $99, not the end users.
--
users mailing
Joe Zeff writes:
On 05/31/2012 01:15 PM, Javier Perez wrote:
If I have to pay $99 to Microsoft in order to install my Free/Open
Operating System...
Whatever gave you that idea? Whoever wants to get the bootloader signed
(either Fedora or RedHat) pays a one-time fee of $99, not the end user
On 05/31/2012 03:09 PM, Sam Varshavchik wrote:
So, I hate to be the bearer of bad news, but I just can't believe that
it's as simply a matter of paying $99 once, no matter what your
submitted bootloader does, or doesn't do.
AIUI, that fee isn't to get your arbitrary boot loader signed, it's to
On 05/31/2012 01:15 PM, Javier Perez wrote:
I hope Slashdot has it wrong, although the presented documents seem to
agree
Yup, they are wrong. They left forgot to mention the Brief
disclaimer on top:
- while I work for Red Hat, I'm only going to be talking about
Fedora here.
On 2012/05/31 16:13, Joe Zeff wrote:
On 05/31/2012 03:09 PM, Sam Varshavchik wrote:
So, I hate to be the bearer of bad news, but I just can't believe that
it's as simply a matter of paying $99 once, no matter what your
submitted bootloader does, or doesn't do.
AIUI, that fee isn't to get your
Once upon a time, jdow said:
> What does this do to those who must recompile the kernel to include say
> special unusual file systems? If this is disallowed it can render access to
> historical data on obscure filesystems inaccessible.
You can turn off Secure Boot. The Fedora boot loader getting
Chris Adams writes:
Once upon a time, jdow said:
> What does this do to those who must recompile the kernel to include say
> special unusual file systems? If this is disallowed it can render access to
> historical data on obscure filesystems inaccessible.
You can turn off Secure Boot. The Fed
On 05/31/2012 07:18 PM, Sam Varshavchik wrote:
positive and confident that this entire kit-and-kaboodle has no choice
but require a closed, hood-welded-shut OS, booted up with a signed
chain, in order for it to work.
Oracle Solaris?//
--
users mailing list
users@lists.fedoraproject.org
Edward M writes:
On 05/31/2012 07:18 PM, Sam Varshavchik wrote:
positive and confident that this entire kit-and-kaboodle has no choice but
require a closed, hood-welded-shut OS, booted up with a signed chain, in
order for it to work.
Oracle Solaris?
Yes, I think that would qualify.
On 05/31/2012 07:49 PM, Edward M wrote:
On 05/31/2012 07:18 PM, Sam Varshavchik wrote:
positive and confident that this entire kit-and-kaboodle has no
choice but require a closed, hood-welded-shut OS, booted up with a
signed chain, in order for it to work.
Oracle Solaris?//
Quick, do
FWIW, perhaps - just perhaps - this is an attempt by MS and redhat
(and perhaps others like Oracle),
to try an convince government customers that a system with a signed
bootloader and kernel and modules, provides for such greater security,
that the gov should spend the money to revamp all their in
On Thu, May 31, 2012 at 8:34 PM, Sam Varshavchik wrote:
> Edward M writes:
>
>> On 05/31/2012 07:18 PM, Sam Varshavchik wrote:
>>
>>> positive and confident that this entire kit-and-kaboodle has no choice
>>> but require a closed, hood-welded-shut OS, booted up with a signed chain, in
>>> order fo
On 1/06/12 13:04, Sam Varshavchik wrote:
> Edward M writes:
>
>> On 05/31/2012 07:18 PM, Sam Varshavchik wrote:
>>
>>> positive and confident that this entire kit-and-kaboodle has no
>>> choice but require a closed, hood-welded-shut OS, booted up with a
>>> signed chain, in order for it to work.
>
> Fedora will be creating a small stage 1 loader. This wil be signed by
> the MS keys, and will inself contain Fedora keys. These fedora keys will
Which is therefore non-free and cannot be part of Fedora or shipped with
it.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or cha
On 1/06/12 16:38, Alan Cox wrote:
>> Fedora will be creating a small stage 1 loader. This wil be signed by
>> the MS keys, and will inself contain Fedora keys. These fedora keys will
>
> Which is therefore non-free and cannot be part of Fedora or shipped with
> it.
I don't know enough about the l
On Thu, 31 May 2012 20:56:03 -0700
JD wrote:
> FWIW, perhaps - just perhaps - this is an attempt by MS and redhat
> (and perhaps others like Oracle),
> to try an convince government customers that a system with a signed
> bootloader and kernel and modules, provides for such greater security,
> th
William. The operating word here is Tiviozation.
You can compile the kernel but you can't run it on the system. That is the
threat GPL3 is trying to counteract.
By creating "valid" kernels, by definition "not valid kernels" cannot run.
On Fri, Jun 1, 2012 at 2:09 AM, William Brown wrote:
> On 1
> If you wouldn't mind explaining *exactly* how this would be "non-free",
> and why this would exclude this approach, I would be most interested.
Free Software is usually defined as providing a set of freedoms
- The freedom to run the program, for any purpose
Ok not a problem
- The freedom to s
On 1/06/12 16:50, Javier Perez wrote:
> William. The operating word here is Tiviozation.
> You can compile the kernel but you can't run it on the system. That is
> the threat GPL3 is trying to counteract.
> By creating "valid" kernels, by definition "not valid kernels" cannot run.
>
Well, It woul
> We're told that Fedora's bootloader is going to get signed – and by that,
> that must mean "grub", right?
No. A tiny loader before grub with the Microsoft key is the plan. That's
actually technically quite smart as it means you don't have to keep going
back to Microsoft. Of course in reality b
On Fri, Jun 1, 2012 at 12:20 AM, Javier Perez wrote:
> William. The operating word here is Tiviozation.
> You can compile the kernel but you can't run it on the system. That is the
> threat GPL3 is trying to counteract.
> By creating "valid" kernels, by definition "not valid kernels" cannot run.
>
On Fri, 01 Jun 2012 16:58:52 +0930
William Brown wrote:
> On 1/06/12 16:50, Javier Perez wrote:
> > William. The operating word here is Tiviozation.
> > You can compile the kernel but you can't run it on the system. That is
> > the threat GPL3 is trying to counteract.
> > By creating "valid" kern
Tommy, you are exactly right on all of your points.
The Fedora people say that they would rather not go back to the times of
compatibility lists to find out what hardware worked with the system.
I'd rather go back to compatibility lists and give my gold to whichever
hardware manufacturer caters t
From: users-boun...@lists.fedoraproject.org
[mailto:users-boun...@lists.fedoraproject.org] On Behalf Of Javier Perez
Sent: Friday, June 01, 2012 9:54 AM
To: Community support for Fedora users
Subject: Re: Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
Tommy, you are exactly right on
On 1 June 2012 08:46, Alan Cox wrote:
>> We're told that Fedora's bootloader is going to get signed – and by that,
>> that must mean "grub", right?
>
> No. A tiny loader before grub with the Microsoft key is the plan. That's
> actually technically quite smart as it means you don't have to keep goi
NOTE/PS Yes, I was brave and did read myself back (now I feel pain for
you). Doing that, I realized we badly need a very visible FAQ
somewhere. Does it exist already? Can we point people to it? Should
we write it? Anyway, here goes:
On 06/01/2012 05:34 AM, Sam Varshavchik wrote:
positiv
On 06/01/2012 09:15 AM, Alan Cox wrote:
Now a signed bootloader has its uses, however in a properly designed
system you would allow the user to import their own keys.
If it goes banana, I'm pretty confident this will be required by law in
most sane countries. There are good organizations of a
On 06/01/2012 01:47 AM, Thibault Nélis wrote:
Red Hat has the infrastructure, the resources, the money and the OEM
contacts to provide that service itself for itself and for many other
FOSS players. It probably just didn't think about it yet (or not
enough, this isn't an easy business, and sho
On 06/01/2012 02:53 AM, Edward M wrote:
also dont expect many computer manufacuters will be adding the keys
in comptuers for consumers, if they do it will not be for long term.
CORRECTION:
last line should of read: also dont expect many computer
manufacuters will be adding fedora
On 06/01/2012 09:46 AM, Alan Cox wrote:
Out of support releases are also an interesting problem. If a hole is
found they need to revoke the key. If they do that the users machine is
crippled. It's potentially a criminal matter in many EU states as well so
whoever issues the revocation could end u
> in case the system isn't yet infected. All the system has to do is
> fetch a new kernel and install it somehow, and if it does, even if it
> *is* infected, it would work, since the bootloader is assumed to be secure.
What new kernel - the release is by then over a year old so is no longer
sup
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/01/2012 04:56 AM, JD wrote:
> FWIW, perhaps - just perhaps - this is an attempt by MS and redhat
> (and perhaps others like Oracle), to try an convince government
> customers that a system with a signed bootloader and kernel and
> modules, provi
Alan Cox writes:
On Fri, 01 Jun 2012 16:58:52 +0930
William Brown wrote:
> On 1/06/12 16:50, Javier Perez wrote:
> > William. The operating word here is Tiviozation.
> > You can compile the kernel but you can't run it on the system. That is
> > the threat GPL3 is trying to counteract.
> > By c
Javier Perez writes:
Tommy, you are exactly right on all of your points.
The Fedora people say that they would rather not go back to the times of
compatibility lists to find out what hardware worked with the system.
I'd rather go back to compatibility lists and give my gold to whichever
h
Alan Cox writes:
> certification key. That's the hood, welded shut, that's absolutely
mandatory
> for a secured bootloader to have any logical purpose, whatsoever.
Correct - and you need to lock it down way more than that. Also I can't
see Red Hat directly signing third party binary blobs. If
Thibault Nélis writes:
On 06/01/2012 09:46 AM, Alan Cox wrote:
Out of support releases are also an interesting problem. If a hole is
found they need to revoke the key. If they do that the users machine is
crippled. It's potentially a criminal matter in many EU states as well so
whoever issues t
On Fri, 01 Jun 2012 11:59:42 +0100
"Bryn M. Reeves" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 06/01/2012 04:56 AM, JD wrote:
> > FWIW, perhaps - just perhaps - this is an attempt by MS and redhat
> > (and perhaps others like Oracle), to try an convince government
> > custo
> AFAIK, Microsoft is already doing something like that with Windows drivers.
> They must be signed by Microsoft, in order to avoid a warning thrown in your
> face upon installation. I think that current Windows OS will just refuse to
> install an unsigned driver, for any hardware.
On curren
Thibault Nélis writes:
Yes, I think that would qualify.
No it isn't necessary. You're looking at it the wrong way; basically only
the things able to boot kernels and kernels themselves have to be signed and
trusted to ensure the integrity of the kernels.
Who gets to make a call what is
> Even if this goes extremely bad, firmwares will be hacked. The tech
> world always goes on with technical solutions, whether the politics
> follow or not. I mean this thing affects *everyone*, it's not a lost fight.
Oh certainly: one of the nastier effects of this (and it didn't start
with E
-Original Message-
Thibault Nélis writes:
> Now, users who buy machines with Windows pre-installed should expect
> their firmware to include Microsoft's key, and should be aware that
> they can add theirs legally. If they don't want to use Windows and
> don't want the trouble of setti
On 06/01/2012 01:11 PM, Sam Varshavchik wrote:
You are assuming that Microsoft will sign a bootloader with such
functionality.
I would not take that bet.
The plan is to make them sign a shim boot loader, which essentially
delegates the trust down to Fedora entirely, because they have no
cont
On 06/01/2012 01:18 PM, Sam Varshavchik wrote:
Who gets to make a call what is "trusted", and what even "trusted" means.
Can I recompile my own kernel, sprinkle some magic dust over it, and
make "trusted", without involving any other party?
Yes, you can sign it yourself, with your own key.
A
> And if secure boot isn't enabled by default even on machines with
> preinstalled OSes, then the world will gain nothing from the technology
> as, again, the people feeding the zombie networks are the same who won't
> care to enable it themselves.
It's btw a requirement that Windows 8 boxes sh
On 06/01/2012 01:00 PM, Sam Varshavchik wrote:
If, all of a sudden, another bootloader gets pushed into Fedora, only a
year or so after all the headache and pain of migrating from grub 1 to
grub 2, then this will validate our collective take on the subject.
With the ability to manage your keys,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/01/2012 12:15 PM, Alan Cox wrote:
> On Fri, 01 Jun 2012 11:59:42 +0100 "Bryn M. Reeves"
> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>
>> On 06/01/2012 04:56 AM, JD wrote:
>>> FWIW, perhaps - just perhaps - this is an attempt b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/01/2012 12:18 PM, Sam Varshavchik wrote:
> Who gets to make a call what is "trusted", and what even "trusted"
> means.
Slightly off-topic but a favourite Ken Thomson talk/paper of mine that
is very relevant to the discussion of "trust" in softwa
On 06/01/2012 01:05 PM, Sam Varshavchik wrote:
Just last week, installing the kernel 3.3.7 update made the ACPI
backlight intensity adjustment keys on my Thinkpad work, for the first
time.
Unti now, they never worked. I never bothered to complain. I figure
that, sooner or later, the kernel will
> Now a signed bootloader has its uses, however in a properly designed
> system you would allow the user to import their own keys.
The problem with this scheme is that a "trusted" os would in theory,
with the users permission be able to some how update the trusted key
repository on the firmware.
Thibault Nélis writes:
Again, you are assuming that Microsoft will sign off on the concept of
signing a shim, and going forward, it's the wild-wild West.
Not going to happen.
Well why wouldn't they?
Because that makes the entire concept of a trusted boot, into a trusted
operating system,
Thibault Nélis writes:
On 06/01/2012 01:11 PM, Sam Varshavchik wrote:
You are assuming that Microsoft will sign a bootloader with such
functionality.
I would not take that bet.
The plan is to make them sign a shim boot loader, which essentially
delegates the trust down to Fedora entirely,
On 06/01/2012 02:27 PM, William Brown wrote:
The problem with this scheme is that a "trusted" os would in theory,
with the users permission be able to some how update the trusted key
repository on the firmware. Which means the security of your machine is
as good as the security of your firmware /
> Typically you would only be able to manage the keys via the UEFI
> firmware UI, only accessible at boot time. Now of course an attack can
UEFI doesn't define UI. Which is a problem for getting any kind of sanity
here
> be mounted against the firmware, but these are often set up to only
> in
> > Verisign is somehow involved since they will receive the payments; and
> > they
> > are arguably less biased). Microsoft/Verisign currently ask $100 for the
> > signatures. Every time an attacker's malware is detected and blacklisted,
> > it would have to pay $100 to a trust broker to
On 06/01/2012 02:40 PM, Sam Varshavchik wrote:
they can't possibly review all the software that could follow the boot
loader down the chain,
They won't have to. Once they have a signing key that boots their
current Windows OS, they have no further need for a certification
process. What value ad
regardless of whether "I" have to pay Micro$loth,
or FOSS developers do.
>
> From: Javier Perez
>To: Community support for Fedora users
>Sent: Thursday, May 31, 2012 4:15 PM
>Subject: Red Hat Will Pay Microsoft To Get Past UEFI Restri
On 06/01/2012 02:33 PM, Sam Varshavchik wrote:
Because that makes the entire concept of a trusted boot, into a trusted
operating system, moot.
They are not that dumb.
This will enable a piece of PC hardware to boot an operating system,
then run virus code that boots Windows' bootloader, infecti
On 06/01/2012 04:18 AM, Sam Varshavchik wrote:
I don't give a frak about that. I just want to run my own stuff,
without anyone else sticking their nose in my personal business. Is
that too much to ask?
This discussion reminds me of the great Philospher Hegel.
The means used by tyrants to ri
Am 01.06.2012 13:17, schrieb Alan Cox:
AFAIK, Microsoft is already doing something like that with Windows drivers.
They must be signed by Microsoft, in order to avoid a warning thrown in your
face upon installation. I think that current Windows OS will just refuse to
install an unsigned driver, f
Alan Cox writes:
Its a feature of the hardware design. It was designed into the UEFI
secure boot set up from the start for the same reasons a web browser
needs to be able to revoke keys.
Yes, but for that, the firmware will either need support from the OS it
secure-boots, to go out on the ne
Thibault Nélis writes:
On 06/01/2012 02:40 PM, Sam Varshavchik wrote:
they can't possibly review all the software that could follow the boot
loader down the chain,
They won't have to. Once they have a signing key that boots their
current Windows OS, they have no further need for a certificati
On 06/02/2012 12:20 AM, Sam Varshavchik wrote:
They won't have a choice. Microsoft will require that all hardware an
OEM makes must be signed by their key, or none at all. Hardware OEMs
will have to choose whether their entire product line will only support
a Microsoft OS, or all other OSes. No c
Thibault Nélis writes:
On 06/01/2012 02:33 PM, Sam Varshavchik wrote:
If the shim enables anyone to execute any code they wish, "on bare
metal", it makes the entire concept of trusted boot completely and
totally moot.
Not anyone, just Fedora. If Fedora starts to fuck up and many Windows use
On 06/01/2012 03:20 PM, Sam Varshavchik wrote:
No such option will exist for hardware-enforced OS lockdowns.
Cue the anti-trust suit from the DOJ in 5, 4, 3...
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mail
On 06/02/2012 12:47 AM, Sam Varshavchik wrote:
Who exactly is outraged right now? A bunch of geeks on a mailing list?
So what? Who cares?
Again, people have won cases to get their money back over the license of
preinstalled Windows copies because they use alternative OSes. Secure
boot is way
JD writes:
On 06/01/2012 04:18 AM, Sam Varshavchik wrote:
I don't give a frak about that. I just want to run my own stuff, without
anyone else sticking their nose in my personal business. Is that too much to
ask?
This discussion reminds me of the great Philospher Hegel.
The means used b
On 06/02/2012 01:26 AM, Sam Varshavchik wrote:
[snip]
I repeat: this is NOT going to happen. If you allow an open operating
system to boot, as a trusted boot, then "trusted boot" ceases all
meaning whatsoever for a non-free OS that requires a signed chain from
the hardware. And I won't even start
On 06/01/2012 05:30 PM, Sam Varshavchik wrote:
JD writes:
On 06/01/2012 04:18 AM, Sam Varshavchik wrote:
I don't give a frak about that. I just want to run my own stuff,
without anyone else sticking their nose in my personal business. Is
that too much to ask?
This discussion reminds me o
Thibault Nélis writes:
On 06/02/2012 12:47 AM, Sam Varshavchik wrote:
Who exactly is outraged right now? A bunch of geeks on a mailing list?
So what? Who cares?
Again, people have won cases to get their money back over the license of
preinstalled Windows copies because they use alternative
Joe Zeff writes:
On 06/01/2012 03:20 PM, Sam Varshavchik wrote:
No such option will exist for hardware-enforced OS lockdowns.
Cue the anti-trust suit from the DOJ in 5, 4, 3...
Stop me when you've reached negative one-million.
There was only reason Microsoft was sued originally, back when.
Thibault Nélis writes:
Why Microsoft would help here is certainly a bit of a mystery at first, but
as I mentioned already, they certainly fear a PR and legal nightmare,
I do not believe they fear anything like this, at all.
Tell you what.
Let's revisit this, when there's a key that will bo
On Thu, 2012-05-31 at 20:56 -0700, JD wrote:
> FWIW, perhaps - just perhaps - this is an attempt by MS and redhat
> (and perhaps others like Oracle), to try an convince government
> customers that a system with a signed bootloader and kernel and
> modules, provides for such greater security, that t
On 06/01/2012 08:09 PM, Tim wrote:
On Thu, 2012-05-31 at 20:56 -0700, JD wrote:
FWIW, perhaps - just perhaps - this is an attempt by MS and redhat
(and perhaps others like Oracle), to try an convince government
customers that a system with a signed bootloader and kernel and
modules, provides for
On 06/02/2012 04:28 AM, Sam Varshavchik wrote:
Yes, all five of them.
Point taken.
[0] Yes, I found it, it was there all along, I guess I didn't look
hard enough (or didn't listen properly):
http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-ce
> How do you mean "openly"? It can't get much more open that a mandatory
> interface that let's you do it simply. What UEFI could do to make
> things better is standardize the UI, but that's it.
As I already said UEFI cannot do that. UEFI is deliberately engineered
not to have the ability to s
Once upon a time, Alan Cox said:
> > > Imagine the gall – wanting to be able to boot a custom kernel.
> >
> > Easy, sign it yourself. We went over it a hundred times now. If you
> > can build a kernel you can sign a million of them.
>
> With what. You can't create a suitable key.
You can cre
On 06/02/2012 04:34 AM, Sam Varshavchik wrote:
Well the math doesn't compute here, it's cryptographically impossible.
I mean you could sign a shim that won't verify the integrity of the boot
There you go.
Look I can't really go on on that. You seem to imply that this is a bad
thing. I simp
> Yes, but for that, the firmware will either need support from the OS it
> secure-boots, to go out on the network, check for revocations, and upload
> them into firmware; or the firmware itself must implement a bare-bones
> network stack, initialize the onboard NIC, obtain a DHCP address, or
On Sat, 2 Jun 2012 16:30:11 +0100
Alan Cox wrote:
> > How do you mean "openly"? It can't get much more open that a
> > mandatory interface that let's you do it simply. What UEFI could
> > do to make things better is standardize the UI, but that's it.
>
> As I already said UEFI cannot do that.
On 06/02/2012 08:35 AM, Thibault Nélis wrote:
Anyway, this would only affect OEMs and Windows users who want to
install their copy of Windows on machines they assemble themselves (or
in any way non-approved by Microsoft). Do we really care about them?
I sure do! The only PC's I've ever owned
On 06/02/2012 10:08 AM, Joe Zeff wrote:
On 06/02/2012 08:35 AM, Thibault Nélis wrote:
Anyway, this would only affect OEMs and Windows users who want to
install their copy of Windows on machines they assemble themselves (or
in any way non-approved by Microsoft). Do we really care about them?
> 3. Create your own keys and sign your own shim/grub2/kernel and remove
> MS'es keys.
And how are you going to add your own keys to the firmware ? There is no
requirement for EFI to support this in anything I've seen so far.
Hopefully everyone will.
Also btw I wouldn't bet on removing the Micro
Thibault Nélis writes:
On 06/02/2012 04:34 AM, Sam Varshavchik wrote:
Well the math doesn't compute here, it's cryptographically impossible.
I mean you could sign a shim that won't verify the integrity of the boot
There you go.
Look I can't really go on on that. You seem to imply that this
Alan Cox writes:
> Yes, but for that, the firmware will either need support from the OS it
> secure-boots, to go out on the network, check for revocations, and upload
> them into firmware; or the firmware itself must implement a bare-bones
> network stack, initialize the onboard NIC, obtain a DH
On 06/02/2012 01:22 PM, Sam Varshavchik wrote:
Should be interesting to see how the great unwashed will accept waiting
2-3 minutes for their PC to boot, while their firmware is trying to grab
CRLs over the network.
Even more interesting will be seeing how they react to the idea that
their lap
> > The firmware already has this.
>
> Yes, now my mental cobwebs are getting cleaned out. I do recall reading
> about this, a while ago.
Much of it is there for network booting (PXE etc) and in fact a fair bit
of it is there in the modern old style BIOS too.
>
> > > Before it boots the OS.
>
On Sat, 2 Jun 2012 20:49:29 +0100
Alan Cox wrote:
> > 3. Create your own keys and sign your own shim/grub2/kernel and
> > remove MS'es keys.
>
> And how are you going to add your own keys to the firmware ? There is
> no requirement for EFI to support this in anything I've seen so far.
> Hopeful
> > Remove the MS key and the firmware won't be signed. I doubt you can
> > re-sign any flash firmware. That's probably only a problem for the
> > paranoid because any government approved spyware from the FBI etc is
> > presumably going to use the Microsoft key by default.
>
> See above.
It's no
On 06/02/2012 02:29 PM, Alan Cox wrote:
It's not that simple. If you remove the Microsoft key and that is the key
for your video card then you can add your own keys but when you boot in
secure mode you won't have a display omn your plug in video card because
the video firmware won't have been sig
On 2012/06/02 13:27, Joe Zeff wrote:
On 06/02/2012 01:22 PM, Sam Varshavchik wrote:
Should be interesting to see how the great unwashed will accept waiting
2-3 minutes for their PC to boot, while their firmware is trying to grab
CRLs over the network.
Even more interesting will be seeing how
On 06/02/2012 04:01 PM, jdow wrote:
.
.
.
snip
If you can declare the OS is secure by
means of the Microsoft certificate, how much money would it take to make
Microsoft geek to including a backdoor for the NSA?
{o.o} Just sayin'
But that would be no different than how things are now!!
--
use
> means of the Microsoft certificate, how much money would it take to make
> Microsoft geek to including a backdoor for the NSA?
I would assume they have one. One of the problems with this is presumably
they need to sign tools for every law enforcement agency with reasonable
claim - be that Israel
On Sat, 2012-06-02 at 15:20 -0600, Kevin Fenzi wrote:
> "Mandatory. On non-ARM systems, the platform MUST implement the
> ability for a physically present user to select between two Secure
> Boot modes in firmware setup: "Custom" and "Standard".
I'm curious about other differences that might occur
On 06/02/2012 11:00 PM, Tim wrote:
I'm curious about other differences that might occur while you're
running the system in the non-secured mode. Are we going to find that
bank sites can detect your running mode, and refuse access, for
instance?
if the menu can be reached to disabled secure
On 06/02/2012 04:43 PM, Alan Cox wrote:
The firmware already has this.
Yes, now my mental cobwebs are getting cleaned out. I do recall reading
about this, a while ago.
Much of it is there for network booting (PXE etc) and in fact a fair bit
of it is there in the modern old style BIOS too.
I think people are forgetting that ARM is an important platform also. It
will become more important as time goes on. If there is a big push to
tablet or netbook computers towards ARM, then this is a huge problem.
ARM will not allow the ability to disable or re-provision keys like the x86
counterpar
HI
Is there a possibility to build with open hw an complete desktop
system, that using coreboot?
If the community can provide an fairly strong platform that can be
cheaply produced as SOC, and SBC - no one can stand against us...
Zoltan
2012/6/3 x414e54 :
> I think people are forgetting that AR
On 06/03/2012 12:03 PM, x414e54 wrote:
Even my friends, I tell them about linux, and they are very skillful
with computers but have no intention to use anything that is not
pre-installed on their system.
Yes. I tell friends that it's free and they're interested, but afraid
to try it because t
On 06/03/2012 12:20 PM, Joe Zeff wrote:
On 06/03/2012 12:03 PM, x414e54 wrote:
Even my friends, I tell them about linux, and they are very skillful
with computers but have no intention to use anything that is not
pre-installed on their system.
Yes. I tell friends that it's free and they're in
1 - 100 of 160 matches
Mail list logo
