FSF Campaign against Microsoft's Plan to Enforce "Secure Boot"

FSF Campaign against Microsoft's Plan to Enforce "Secure Boot"

Tzafrir Cohen tzafrir at cohens.org.il
Tue Oct 25 18:42:23 IST 2011 

On Tue, Oct 25, 2011 at 05:37:29PM +0200, Amit Aronovitch wrote:
> Setting aside the amusing political debates and going back to the original
> topic - what's the actual status of the UEFI boot issue?
> 
> (Following up on the link from Tzafrir's
> post:http://mjg59.dreamwidth.org/6503.html,
> see my comments below )

> Can you help locating the MS statement that you describe?
> 
> Some relevant details, described in Mathew Garett's post (thanks Tzafrir for
> the link), and some of the replies there:
> 
> 1. Problems with the proposed UEFI boot standard boil down to the fact that
> it lacks any means to allow the *owner of the hardware* to edit the list of
> trusted keys (load new keys, delete old ones).

Rather: the owner can not edit the list of certificate authorities. The
owner can, optionally (according to the standard) add extra keys. But
this option is prohibited by Microsoft.

> 
> 2. It seems to me that some aspects of this are in fact a security issue,
> which should also be in the interest of Microsoft to solve (e.g. they would
> probably want some means to recover in case one of their keys get stolen).
> 
> 3. Some solution to the problem (a mechanism for loading keys from specially
> formatted removable media) will be (is being) suggested by Garrett to UEFI
> during this week's "plugfest" http://www.uefi.org/events/
> 
> 4. Readers of this group should be interested to know that this solution
> (whatever other advantages/disadvantages it might have) would allow you to
> end up being able to boot kernels (or bootloaders) that you compiled
> yourself and signed with your own private key.

Custom kernel? How about custom boot loader code?

Grub2 can:

* read pathes and files from the disk(s).
* run a program:
  http://www.gnu.org/software/grub/manual/html_node/Shell_002dlike-scripting.html#Shell_002dlike-scripting

So, would grub be allowed to boot?

> 
> Hence: if that MS statement contained some indication that Microsoft would
> support such a solution, indeed I see no serious reason to worry.
> Either way, we should follow closely for reports from the plugfest
> conclusions next week.

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend

More information about the Linux-il mailing list