|
Authored by: Anonymous on Friday, March 01 2013 @ 09:36 PM EST |
http://www.youtube.com/watch?v=V2aq5M3Q76U
And somewhere down the stream he notes that he asked Intel
if they were going to fix a bug he had found to which they
replied "no". Flashing BIOS has always been a little
risky, this sounds like a nightmare to me.
[ Reply to This | Parent | # ]
|
|
Authored by: cassini2006 on Friday, March 01 2013 @ 10:35 PM EST |
I can only see three scenarios where this secure boot makes sense:
a) To
use secure boot only long enough to boot and run Linux as normal.
b) To
deliver a computer that the RIAA and/or Microsoft trusts, such that you can't
steal their precious DRM protected products.
c) To deliver a computer that
only runs code that the user authorizes.
I'm not sure what Option (c) gives
you that Option (a) does not. Specifically, most of the hacks that work against
Option (a) also work against Option (c). However, for some secure applications,
it would be nice if the kernel would only trust code specifically authorized by
the user. Unfortunately, for this security guarantee to be meaningful, the BIOS
itself would have to have the user's key (and only the user's
key.)
Obviously, Option (b) is the RIAA's, MPAA's, and Microsoft's dream. It
also makes Windows Genuine Advantage from Microsoft work much better. However,
many computers are used in applications that have nothing to do with the
activities involving Music, Movies or Microsoft. I just can't see implementing
Option (b) being a priority for most users of Linux, because they have better
things to do.
Linus's solution of either (a) avoiding secure boot, or (c)
making the user authorize everything, is fine by me.
It is my expectation, that
any implementation of (c) will cover the case where a single administrator (the
"user") is controlling a farm consisting of millions of PCs. This is far too
interesting of a commercial application to ignore.
My biggest issue, by far,
is that I don't see how Option (b) prevents Windows from being affected by a
root kit. As long as a key is in widespread use, and publicly available, it
will be cracked. Microsoft can't revoke the key, because it will break millions
of deployed computers. Option (b) doesn't work. This is all a huge waste of
time.
[ Reply to This | Parent | # ]
|
- Linus Torvalds Suggests How To Handle UEFI Secure Boot Crisis - Authored by: jbb on Friday, March 01 2013 @ 11:28 PM EST
- No - Authored by: Anonymous on Saturday, March 02 2013 @ 03:44 PM EST
- No - Authored by: PJ on Saturday, March 02 2013 @ 04:25 PM EST
- Here is a link that might help..... - Authored by: dacii on Saturday, March 02 2013 @ 06:21 PM EST
- No - Authored by: AntiFUD on Saturday, March 02 2013 @ 06:38 PM EST
- No - Authored by: PJ on Saturday, March 02 2013 @ 09:26 PM EST
- No - Authored by: Wol on Saturday, March 02 2013 @ 08:01 PM EST
- No - Authored by: PJ on Saturday, March 02 2013 @ 09:25 PM EST
- Yes - Authored by: Anonymous on Saturday, March 02 2013 @ 09:46 PM EST
- Yes - Authored by: PJ on Sunday, March 03 2013 @ 01:39 AM EST
- Yes - Authored by: Anonymous on Sunday, March 03 2013 @ 02:53 AM EST
- LVM - Authored by: artp on Saturday, March 02 2013 @ 11:18 PM EST
- No - Authored by: Anonymous on Sunday, March 03 2013 @ 02:01 PM EST
- USB disks, Knoppix and DD - Authored by: cricketjeff on Sunday, March 03 2013 @ 04:53 PM EST
- imho, dont use lvm on laptops - Authored by: Anonymous on Monday, March 04 2013 @ 07:58 AM EST
- I agree with you - Authored by: jbb on Sunday, March 03 2013 @ 07:54 AM EST
- I agree with you - Authored by: Anonymous on Sunday, March 03 2013 @ 03:30 PM EST
- I agree with you - Authored by: Anonymous on Sunday, March 03 2013 @ 11:16 PM EST
- It has to be user-specific keys. - Authored by: cassini2006 on Sunday, March 03 2013 @ 04:04 PM EST
- "This is all a huge waste of time." - Authored by: Anonymous on Saturday, March 02 2013 @ 07:20 AM EST
- Linus Torvalds Suggests How To Handle UEFI Secure Boot Crisis - Authored by: Anonymous on Saturday, March 02 2013 @ 01:58 PM EST
|
Authored by: jjs on Saturday, March 02 2013 @ 12:42 AM EST |
Having read the chains, this appears to be about running binary-only modules
with linux, not linux secure boot. Linus has NEVER supportd binary-only -
that's one reason linux doesn't have a stable kernel module API.
So right now you can,using a shim, boot vanilla linux from secure boot.
However, if you want to use the proprietary Nvidia driver (for example), you
need a signed module. If Red Hat wants to support the module, they can sign it
right now. No change to linux needed.
---
(Note IANAL, I don't play one on TV, etc, consult a practicing attorney, etc,
etc)
[ Reply to This | Parent | # ]
|
|
Authored by: luvr on Saturday, March 02 2013 @ 12:16 PM EST |
“If you've set up your own chain of trust instead, anything
signed by Microsoft will be rejected.”
It's high time to
set up my own chain of trust, then![ Reply to This | Parent | # ]
|
|
|
|
|