FSF Campaign against Microsoft's Plan to Enforce "Secure Boot"

FSF Campaign against Microsoft's Plan to Enforce "Secure Boot"

Baruch Siach baruch at tkos.co.il
Tue Oct 25 17:55:33 IST 2011


Hi Amit,

On Tue, Oct 25, 2011 at 05:37:29PM +0200, Amit Aronovitch wrote:
> On Mon, Oct 24, 2011 at 1:56 AM, Amos Shapira <amos.shapira at gmail.com>wrote:
> > I didn't follow the detail but a few weeks ago this made a noise on
> > Slashdot and as far as I'm aware Microsoft issued a statement which
> > calmed down the activists and it became a none-issue. I didn't follow
> > it closely so I might be wrong.
> >
> Can you help locating the MS statement that you describe?

The MS response on this issue is at 
http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx.

Matthew then responded to this at http://mjg59.dreamwidth.org/6503.html.

baruch

> Some relevant details, described in Mathew Garett's post (thanks Tzafrir for
> the link), and some of the replies there:
> 
> 1. Problems with the proposed UEFI boot standard boil down to the fact that
> it lacks any means to allow the *owner of the hardware* to edit the list of
> trusted keys (load new keys, delete old ones).
> 
> 2. It seems to me that some aspects of this are in fact a security issue,
> which should also be in the interest of Microsoft to solve (e.g. they would
> probably want some means to recover in case one of their keys get stolen).
> 
> 3. Some solution to the problem (a mechanism for loading keys from specially
> formatted removable media) will be (is being) suggested by Garrett to UEFI
> during this week's "plugfest" http://www.uefi.org/events/
> 
> 4. Readers of this group should be interested to know that this solution
> (whatever other advantages/disadvantages it might have) would allow you to
> end up being able to boot kernels (or bootloaders) that you compiled
> yourself and signed with your own private key.
> 
> Hence: if that MS statement contained some indication that Microsoft would
> support such a solution, indeed I see no serious reason to worry.
> Either way, we should follow closely for reports from the plugfest
> conclusions next week.

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -



More information about the Linux-il mailing list