Slashdot Mirror
Red Hat Clarifies Doubts Over UEFI Secure Boot Solution
sfcrazy writes "Red Hat's Tim Burke has clarified Fedora/Red Hat's solution to Microsoft's secure boot implementation. He said, 'Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.'"
Color me unimpressed, and certainly concerned: "A healthy dynamic of the Linux open source development model is the ability to roll-your-own. For example, users take Fedora and rebuild custom variants to meet personal interest or experiment in new innovations. Such creative individuals can also participate by simply enrolling in the $99 one time fee to license UEFI. For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost." From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right.
If anyone can pay $99 to get a key that lets them install malware in anyone's firmware, then there is obviously no security in the system. I'd have thought this would be excellent grounds for an antitrust investigation...
I am TheRaven on Soylent News
self-register their own trusted keys on their own systems at no cost.
How? Most reasonable mechanisms that could be envisioned would likely be considered an 'attack vector' in certain scenarios. I'm genuinely curious as to the mechanisms allowed for end-user key management in this sort of system.
XML is like violence. If it doesn't solve the problem, use more.
This can't be any worse...
Red Hat has faith in Microsoft. More fool them!
Take Nobody's Word For It.
rips Microsoft a "new one" in a class action and/or anti-trust suit
and Fedora/Redhat are feeble minded idiots for paying Microsoft,
Politics is Treachery, Religion is Brainwashing
Stuxnet, Duqu, etc...I could go on
UEFI has the same stench Microchannel did, back in the day.
http://en.wikipedia.org/wiki/Micro_Channel_architecture
for the other side of the house....
They advocated for a dual-boot system which would allow Windows for Pen Computing to co-exist along w/ Go Corporation's PenPoint OS --- then pulled the plug after the first systems were announced.
Jerry Kaplan's _StartUp_ should be required reading for anyone considering doing business w/ Microsoft.
It's ludicrous that one could purchase a system and then not be allowed to install arbitrary software on it --- why can't there be a mechanism for instantiating a particular key on a system which one has physical access to?
William
Sphinx of black quartz, judge my vow.
It will be released but not all the hardware vendors will sign on. Loads of tech people, like the ones here, will not buy it. It will flounder for a few years then eventually die off and go the way of microchannel.
Ill toss this one up there with Divix-DVD's and there pay per view, Sony memory standards, Micro-channel, and many other crappy ideas.
Doesn't this violate the "anti-Tivo" clause of GPL v3? Sure, the kernel is still on v2, but the system can't run without all the v3 stuff.
This will not stand, man.
Red Hat needs to research and make sure they are compatible with new and changing tech and UEFI is clearly one they need to make sure RH software works with. There are valid application for signed systems like this (think stuff like ATM) so making sure Linux works and even signed and validated to boot isn't a bad idea. But as we already suspect the general desktop environment isn't a good place UEFI should be used which is what people are afraid is going to happen.
I haven't delved deep into the details of UEFI but as long as the restrictions are only to boot valid signatures then RH and any other Linux should be fine and might even be desirable in some deployments. In fact a strong argument could be made that getting Linux and BSD onto these platform helps "keep them honest". Red Hat should be allowed to do this and we should continue to inspect RH's source which is a good goal brought about by Open Source. If it turns out that Red Hat does this and is not allowed to be entirely open about it then that would be the red flag but not before then.
For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.
If this is possible, can't any random distribution just ask the user to self-register their own keys for their hardware at installation time? I guess it depends on when the self-registration occurs and how it's done, which is not clear to me.
This post was generated by a Cadre of Uber Monkeys for Monkey-Man2000 (603495).
I won't buy any PC or motherboard with UEFI unless it can be disabled - and I will actively search for machines that refuse to implement UEFI at all. Frankly, this is a quisling move by RedHat. Microsoft bullied the PC manufacturers into this anti-freedom technology. Now RedHat is directly supporting Microsoft by paying into their protection racket. Before you know it, every computer will require a 'legitimate' - government/oligopoly authorized operating system. Just say 'No' to RedHat because they are giving money to a system that is sliding down that slippery slope toward removing your freedom to use your devices as you wish.
You're an idiot if you think that other options were not considered first.
This is the only current way that it can be made work NOW for the current user. Red Hat step up to the plate and investigate it early and the slashdot has an illinformed whine.. can't please some people...
I'm not going to invoke Godwin, but *lots* of things start out as being "good-faith initiatives". I know UEFI has tons of advantages over a standard BIOS, and I'm a flat-earther for wanting to stick with the old tried and true methods, but anything that takes away control over hardware I own, especially anything that takes control and gives it to a multinational corporation, I'm passing right over.
And I assume plenty of other tech-minded people will do the same, and the system will fade off into the sunset.
As the author of the linked article, things have somewhat changed since then - the language in the hwcert docs makes it clear that the hardware can be configured into a state where keys can be added. Is it a guarantee? No, but it's as close as is possible to get in the technology world.
A lot of web severs run Linux.
I don't the EU will let MS get away with crap like this.
I wonder if there is an analogy to DVDs and CDs... If you want to use the Genuine DVD logo on your shiny disk you have to follow eighty bazillion rules, at least some of which suck, and at least some of which are great ideas but people who suck don't want to do the right thing.
The logo people thought no one would ever buy round shiny disks without their holy logo of obligation inscribed upon it. Why the nerve of those barbarians to even suggest such a gauche idea as selling a shiny disk without our word of power.
Solution, ship your shiny round disk the way you want, without the Genuine Official Copyrighted Trademarked DVD logo. The consumers don't care, they just pop a round shiny disk in the player and it works, at least most of the time.
I'm trying to figure out if something like this could happen with UEFI, somehow.
Another option is the death of the preinstalled microsoft OS. If the legal barrier is just too high, start shipping free systems. Preinstalls suck and are absolutely sickeningly riddled with bloatware anyway, so first step is always to wipe the preinstall. The proverbial grandma won't be able to handle installing windows, I guess she will stick with the Ubuntu preinstall and probably not even notice the difference.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
..that almost every PC comes with Windows pre-installed in conjuction with Microsoft abusing this monopoly despite all the anti-trust affairs.
I know the M$ fanboys will point at Apple and their iOS devices, but the big difference is that Apple does not force other smartphone manufacturers to put iOS on their hardware, whereas PC manufacturers have to pay for not putting Windows on their PCs.
Given those circumstances, the fact that I'd have to pay $99 in order to install my own private Linux distro on my own private PC is just crazy.
Even if this is indeed a "good faith" initiative, what difference does *that* make? The tools for locking down and controlling all computing are being put in place, one small step at a time. When that "good faith" goes away in the future, the tools will not know the difference; they can be used in good faith or bad faith alike.
It's much like giving a genuinely good leader draconian legal powers. (S)HE may used them wisely to do actual social good, but in a hundred years when you have a despot at the helm, he'll have the same draconian things available.
Fucking STUPID. Since when in their entire history has Microsoft ever done anything in "good faith"?? Morons! *ALL * you need to do is read a few court cases...
C|N>K
"your owns keys is certainly not a guaranteed"
If I can't use a custom kernel and I can't load custom drivers, than there's no way anyone could convince me this UEFI/SB and the related signing misery is the way to go. I couldn't care less that some distros can sign their kernels and drivers and you can use those, because that essentially would imply a lock-in to a specific company's version - thanks but no thanks. Of course I can imagine how some companies would like it that way.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Don't buy a PC with UEFI and don't even try to keep one running when it craps out.
"From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right."
Okay chicken little the sky is falling.
Really? You can turn off the security settings in UEFI. Will you in the future? No but that is a slippery slope argument. The simple fact is that UEFI offers a layer of security that many users may welcome. As long as the end user can turn it off I am fine with it.
Now on the Windows ARM platform it can not be turned off which is just evil and should be looked into as a violation of anti-trust. Of course if you really hate the idea that is fine also. What is stupid is complaining that Red Hat paid the $99 fee. That like saying that a kid should stand up to a gang of bullies instead of giving them his lunch money even if they will beat him to a pulp.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I'm assuming no one has yet noticed that the $99 fee is not going to last forever. From Microsoft's sysdev portal:
Moreover as others have mentioned here, it's not guaranteed that any hardware manufacturers will include the capability to register one's own keys. I certainly haven't heard of any yet.
// -- http://www.BRAD-X.com/ --
C'mon, it is very easy to solve the problem. Uses them same Microsoft CA that Flame worm is using.
SecureBoot is more a "reduce users power to change OS" than "protect from malwares", as Flame proved.
UEFI is an OEM Software Vendor's bald-faced grab at monopoly power. Microsoft would be the key generator. Redhat would pay Microsoft a one-time fee per user machine, which RH figures likely to be a one-time $99 fee. This charge would be per machine, not per user, as it is likely that no 2 computers on the same network can have the same key. How many linux users not running servers would be willing to pay their OEM Linux Software Vendor an extra $100 over the current cost of that software per machine? What impact would this have on the number of desktop linux users? How many would forego any switch from the Microsoft OS pre-installed for an extra additional $100, per machine?
IIRC, when Microsoft first began trying to compete with Server Software against the the Big Iron Server Vendors, flexibility in number of connected clients, and owning the HW and the SW license was considerably cheaper than an annual HW & SW service agreement. Digital Equipment, Silicon Graphics, and Sun Microsystems are gone, Microsoft has so much influence over HW manufacturers that an effort was made to rein in competition. Control of the UEFI Boot AUTH Key by a self-avowed SW monopoly would appear to, in one fell swoop, destroy a segment of the Desktop OS competition AND create a robust new revenue stream at the same time. The crony corporatists are greedy vampires, as one named John D. was quoted as saying "Competition is a sin."
So, which recently topping $1 Billion in revenues OEM SW Vendor just climb into bed, figuratively speaking, with Microsoft? Red Hat? Gee whiz, I wonder how many of Red Hat's plethora of desktop linux competition, or for that matter, any *nix-like OS Vendor would care for their product to be automatically boosted in price by $100 (minimum) to establish an UEFI Boot AUTH Key "Associate" account with Microsoft? When is More Evil just too much?
Free market capitalism, by definition, should be operating on a level playing field of regulation and enforcement. The greater and greater concentration of economic power and influence in the hands of fewer and fewer corporations is hardly an indication of a vibrant free market. But that is a symptom of corporatism, and when government is in alliance with those crony corporate interests instead of the general well-being of all taxpayers, it is called corporate socialism also sometimes known as national socialism or fascism.
Even if this comes to pass for companies like Dell and HP, I doubt the "enthusiast" system builders like Asus and Gigabyte will be locking down their motherboards. After all these are machines frequently built and tweaked from the ground up, and enthusiasts won't buy them if they're locked down and they have to install a specific OS version.
There's really nothing else to add here
the big concern is that Microsoft has a history of not playing well with others, but that was with Bill Gates running the show
Steve Ballmer (who dropped out of Stanford's business school to join Microsoft - i.e. he is a "businessman" in the good sense) is probably a little less cut-throat (or inclined to "compliance with raised middle finger") than Bill Gates - which is obviously just my opinion - and I'd gladly work for either Microsoft or Red Hat (I've used both company's software for years, but I'm not religious about either)
anyway, I'm still not convinced that "UEFI" is the next big thing, I'm willing to listen/try it - but taking a "trust but verify" attitude toward the whole thing
It ain't what they call you. It's what you answer to. http://mylyceum.us/
Note that the ability to install your owns keys is certainly not a guaranteed right.
Also note: YOU CAN ALWAYS TURN OFF SECURE BOOT IN THE BIOS
I'm done trying to explain this. If people want to have a persecution complex about this, that's their problem.
Where is the forest and where are the trees? Do you not see the difference?
Let me make it clear. The average person will not be able to load anything else but Win8. Microsoft will profit from the sales of Win8 systems. It doesn't matter if the consumer prefers Win7, XP, Ubuntu or what ever else. It will be a hassle to load any other system. When Win9 comes out it will not load on a Win8 system because the keys will not be the same. On this I am prepared to wager. Microsoft does not care for the $99 that's not where the money is.
Saying that if you just quit your damn bitching and hold still, it won't be as bad as you imagine. Hell, once you've been slammed hard a few times, you'll hardly even notice it's happening.
If you were blocking sigs, you wouldn't have to read this.
Now using my electronics how i want is "certainly not a guaranteed right". WTF. Thats why we had DIY talents before, who was building companies in garage, and now we have army of "angry bird" players, because it is not easy to create something this days.
You can't reuse electronic parts. SMD. You need expensive tools to do that. Well, ok, let's say it is ok.
You can't reuse blocks and highly integrated IC's, because there is NDA for documentation and high fees to get this documentation.
And now, finally, soon you can't write your own low-level software, because your PC manufacturer will decide, what you can run, and what you can't.
I hope my car one day will not tell me, which road i can take, and which one i'm not allowed to go, because my car don't have license for offroad.
I wouldn't be surprised if Microsoft can pull this off.
The real problem starts when 'stolen' keys are going to be abused for malware / used for loaders, etc. Then phase 2 will come into play: "suddenly realizing" that you also need some kind of key revocation system for this to be secure. But in phase 1 you already locked yourself in.
You will be totally at the CA (Microsoft)'s mercy. Replacing Microsoft with some US-government agency will make things even worse.
When the copyright term is "forever minus a day", live every day like it's the last.
Oh, sure, you can disable the UEFI Secure Boot crap. But when I read the initial article a few days ago, the point I got was that Fedora's goal was to not require users to have to go to the trouble of manually disabling it. Win8 is going to require SB enabled in order to get the W8 sticker (I was unclear if W8 itself required SB, but if it did, it wouldn't work as an upgrade). So in order to install Linux, everyone must manually disable SB first unless the distro gets signed. And they can't just stop with signing the first stage boot loader, they pretty much have to have the kernel signed and have it check for signed drivers, otherwise there would be a hole that some eeeeeeevil malware could get through, which would be grounds for revoking the key.
Then there is also some kind of problem with driver modules (like in the ROM on PCI cards) also having to be signed, but apparently it has to match the OS key, and there's no room for more than one signature. So of course they'll get signed for Microsoft's key. This is bad, but it really doesn't have much to do with the particular problem at hand.
The problem I see is that the master key is revokable if a particular OS boot loader is determined to be insufficiently secure. No, your BIOS isn't going to get on the internet and update itself every time you boot (but let's not give Microsoft any ideas) and one day refuse to work; the problem is that six months from now, the BIOS in all the new motherboards on the market would say "hey this Fedora key, someone told me it's no good!" And people installing Linux for the first time would again have to manually disable SB until a new key and bootloader are produced. Since Fedora's goal was a no-fuss install, this is a failure.
And then there's the looming issue of what happens if Microsoft decides to require that SB not be disabled, as they have done on ARM. Sure, there are already a lot of ARM tablets that will never run W8, but if you get a good deal on a used or clearance W8 tablet, it's useless for anything but W8. But what happens if Microsoft decides that a manufacturer can't get a W9 sticker if you can disable SB?
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Unless I'm very much mistaken (please feel free to correct me) I'm seeing a lot of incorrect information around this. As I understand it: A) You can turn it off by going into the BIOS. Then you can boot anything you like. B) Each boot-loader for each individual OS requires signing by the manufacturer. As I understand it, Redhat were asked if they would be the custodians of 'one true' Linux key and they didn't want to be responsible for it on behalf of other distro makers. C) Redhat approached PC manufacters who were very receptive to their key being included with all hardware, however Redhat felt there would be an impression that they were levaraging their size as unfair competition. D) MS offered to sign distro's and OS's with their own key as long as the maker was registered with them for $99 which is surely below cost. Ideologically it is not ideal I agree but it could be worse no? Ideally some garanteed impartial third party would sign all OS's from one key. But who? Thanks for reading
So what's to prevent RedHat, or anyone else, from paying the $99 for a key, and then publishing it? This would let anyone sign their own distributions. If it can work, I'd happily post an oldmacdonald key.
I think people are blowing this secure boot problem a little out of proportion, and many like the author here are inferring that the problem is with UEFI its-self. I see UEFI as a good thing (as it has been for several years on the systems that already support UEFI). In the author's example, they complain that someone who rolled their own linux distro wouldn't be able to install it. This is a laughable idea to me, if someone has the skills to roll their own distro, why would they have a problem figuring out how to go into the UEFI config and disable secure boot? Second, we're really only talking about oem crapmachines like dell and HP/Compaq and the like which will have secure boot enabled by default to meet the Microsoft Windows8 logo certification. If an OEM like that sells machines with linux, I'm pretty sure the machine with ALSO ship with no secure boot and no logo sticker. If a user buys a machine, pays for a windows license, and still wants to wipe it out and run linux.. Somehow I fail to see how making one change in the UEFI config is a big deal.
If a user buys an asus (or whatever brand you like) motherboard, it's not going to be Windows 8 logo certified because it isn't a whole computer and I would hope would not have the secure boot enabled by default.
So, I think this is a case of mountains being made out of molehills. I only care because things like TFA seem to place the blame inappropriately on UEFI, and I've been waiting for UEFI on my machine for a very long time!
And will actively seek out equipment without it.
I am just about through with PC's anyway.
Seriously, who is nerdy enough to compile their own kernel but not nerdy enough to turn off what amounts to a BIOS setting? Why is Red Hat going through all this trouble for a group of people who are ultimately just going to turn the setting off regardless of whatever Fedora does?
the UEFI secure-boot feature required to run Windows 8.
The only people affected by this are people who have supported MS by buying MS-spec hardware.
$99 for a keying license vs Sony's policy of simply not allowing other OSes ... I'd say, lesser of two evils.
-- A change is as good as a reboot.
In that case they'll simply revoke your key and you'll have to pay for another one (if you can even get one at that point). If Microsoft loses their key, it won't get revoked. See the SSL certificate issue they've had recently, a root CA would (and should) immediately revoke the whole Intermediate certificate if that happened with a small company but because it's Microsoft they won't.
The point of the system is that large vendors (like Microsoft) will have keys and you won't. Also malware creators (good ones that operate on a state-level) will have the keys (see DuQu, Stuxnet etc. for examples). But YOU won't.
Also, to insert/revoke keys there has to be an OS to EFI link (just like Mac OS X has one) so that will be the point where it will be exploited.
Custom electronics and digital signage for your business: www.evcircuits.com
Given that they talk about updating the set of keys, I'd be surprised if they couldn't revoke keys that are found to have leaked. They could also likely track back the signed code to the key that signed it, and thus put you on the spot.
Redhat could conceivably make their grub only load redhat-signed code by default. Might make sense for RHEL, maybe not for Fedora.
They just put their employees in the US government. Poof ! Problem solved. Eric Schmidt is on the obamas council of "advisors" on science/technology. But he would never suggest anything that would help google.. oh no!
And Google was the fifth-largest donor among businesses to Obamaâ(TM)s presidential campaign. (Health insurance, Wallstreet, etc beat them out I guess)
There are a couple things about Garrett's blog that have mystified me. I'm not saying he's wrong or anything, just that he says some things which can only possibly make sense, if there's something else which isn't be said. Seriously, please help filling in the blanks.
What happens if someone did that, but didn't take the "responsibility" seriously and didn't spend the millions of dollars? If there were a "Linux" signing key, but it were released to the public so that anyone (including malware authors) could sign their bootloader to UEFI's satisfaction, that would obviously nullify the point of secureboot but other than that, what would be the consequences?
Does someone have to post a bond to get a signing key (i.e. if you leak your key, it contractually costs you n megadollars)? Or is there some key revocation process, where that fact that some signing key is no longer trusted by the UEFI central authority, is somehow magically signalled to millions of Flash ROMs?
Neither of those ideas bear scrutiny. Is there a third deterrent?
(Where if I understand this correctly, the "very simple bootloader" is the thing that Microsoft is signing.) Why check that grub2 is signed, instead of just loading any old grub2? Obviously, the answer of course, is that doing that would defeat the point of secureboot but nevertheless it solves the problem created by UEFI. Other than making secureboot irrelevant, what would be the consequences of that?
Again: why? So what if the kernel or a kernel module lets you touch the hardware? At that point you've already booted and taken control of your machine, so secureboot can't stop you. Garrett's project has succeeded at letting Red Hat customers run Red Hat on their UEFI machines with default settings at this point. The problem is over, isn't it?
One idea that leaps to mind is that if Red Hat didn't say their bootloader would only load signed grubs2 and their grub2 would only load kernels which prohibit loading untrusted kernelspace code (e.g. unsigned modules), then Microsoft would refuse to sign their initial bootloader. But saying things and doing things are two different things. It's inconceivable that for a $99 fee, Microsoft has guaranteed that the Red Hat kernel never under any circumstances run not-Red-Hat-blessed code. I'm convinced their strategy can't be based on code-auditing or statements from those who create the code, that the code will never run other untrusted code. That's not viable. If you could audit a who kernel for $99 then Theo deRaady woudl be out of a hobby.
"Obvio
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Paying this fee to Microsoft will help guarantee Red Hat's remaining on top of the Linux world. They can afford to pay it. Many of their competitors probably can't.
Wow. I swear I used a real keyboard for that, not a tablet. Oh well.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
But you need to boot into the bios to do it, and RedHat doesn't want to make everyone do that just to boot Linux.
Then of course there's the conspiracy theory that says that just because UEFI supports it doesn't mean that all the vendors will actually give users the ability.
Under secure boot, the hardware validates the bootloader, the bootloader validates the OS, and the OS validates the userspace code.
Redhat could easily write some userspace code to talk to certain parts of the hardware and sign it with their key and it would be allowed to run just fine.
Currently you can stick in a USB stick and boot from it into a live RedHat image.
Under secure boot, if they go this route that will continue to work. If they go the self-registered route they need to get people to reboot into the BIOS, either add in a new key or disable secure boot, then reboot.
For most of us here this is no big deal, but for my grandma that would be a showstopper.
For installing onto your own machines you can add in arbitrary new keys for free.
If I want to create my own distro and allow other people to install it _without disabling secure boot or manually adding new keys_ then I need to pay $99.
Incidentally, it costs $99 to publish apps to the Apple app store, so this doesn't seem like a crazy price.
Red Hat pays $99 once to get their key included in the BIOS. This lets them boot up their bootloader (signed with their key) which then boots whatever they decide to allow--could be OS kernels signed with their key, could be arbitrary stuff. I'd guess that RHEL might lock things down tight by default, with Fedora being more permissive.
There is no per-machine fee.
Nuff said. What is keeping a brain dead lump of a motherboard from being flashed with bootcode that does not require this sort of stuff?
Will every thing have to be ON LINE to boot up now?
Ready the tin foil hats!
Microsoft will NEVER NEVER sell a key - not for 99.00, not for a million dollars.
The requirement of the key should be transparent (actually, UEFI has no merit whatsoever),
that is, without any strings attached - just like when I put together my hardware now. I have
no obligation to Microsoft for the operation of my property. Why should I suddenly have this
obligation now? Does anyone really believe there wont be a license associate with this "key"?
Will it expire? MS software has many security problems, true, but why are they being forced
on the community? Having something like this does nothing to protect the end user.
Very sad...
CAPTCHA == repute
"No thank you" to an offer to pay $99 to allow me to configure hardware and firmware that I have already paid for. I know which PCs I will not be purchasing.
Microsoft requires that UEFI machines hold only one key. If they revoke one key, well, that is the only one...
Rethinking email
Do you have any idea how easy it is to create a false persona? Or base one of someone elses identity? I've seen scams that even create physical store fronts, webpages, phone numbers, staff, etc. It's really not that difficult for a few people to pull off successfully.
means: we're too lazy to hash this out now but we'll be sure to act surprised when they screw us later.
Yet another reason to get better x86 support into u-boot. U-Boot is already everywhere, and seems to have won the race to be a BIOS replacement on every new platform. It works really well, POSTs and configures the machine generally in under a second, understands FAT/EXT2/etc well enough to directly load a linux kernel, yet is low level enough to just load a MBR like bootloader,etc.
Basically, it does what the BIOS should be doing (configure basic RAM/CPU/Disk/network, only enough to start something else).
Frankly, as I sit here waiting for my nice new IBM desktop machine to waste 5 minutes rebooting UEFI, I just want to smash the machine.
Posting as AC because I don't have an account, but the amount of misinformation is mindboggling.
Four things
1.) UEFI is literally just a new way to say "BIOS". It has nothing to do with the secure boot feature.
2.) Secure boot can be disabled on every motherboard. It's actually explicitly required as part of the specification.
3.) All of this hub-bub is because users need to change a bios setting away from a default in order to run an unsigned bootloader (e.g.) linux. Apparently, changing 1 BIOS setting is a technical hurdle that will stop anyone from installing linux (yeah, right)
4.) The reason this wouldn't be a security hole is that the keys need to be loaded onto the motherboard itself to be of any value. All that's being done is that these are being preloaded by OEMs, so the user is spared the trouble of adding their own key for MAJOR linux distros OUT OF THE BOX. You can always add signing keys, but again, that's a "hassle" they want to avoid
Yes, I also think they'll act, too bad they didn't do anything yet. If they wait too much, whatever they do won't make any difference. What are they waiting for?
Rethinking email
Can we disable Intel Insider? Who is asking for these Trusted Computing mechanisms? Surely it isn't the customers. I wouldn't want an UEFI motherboard with Secure Boot, and I won't be buying a Sandy Bridge chip either. I never found myself wishing my computer was more locked down.
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
The scary part of this is Microsoft's tight grasp on PC vendors. A software company (Microsoft) is controlling the hardware companies. This should not be. Whatever happens, somebody will figure out a workaround so I'm not worried the least bit. I will still run GNU/Linux on all of my PCs.
FOSS didn't scream when Apple did it, because Apple makes (well Foxconn for them) the whole kit and kaboodle, they only screw with their own vertical stack.
Microsoft's shiny new idiocy imposes a requirement on hardware it doesn't make that impinges on software vendors that aren't in bed with them.
Microsoft (as you well know unless you're a drooling idiot) had next to no presence in the browser market until they LEVERAGED (and the courts said illegally so) their Windows position to crush their opposition.
What private keys of note have been hacked?
RSA's, very likely. That was a very major issue, when the SecureID tokens had to be replaced.
http://www.eweek.com/c/a/Security/RSA-Warns-SecurID-Customers-of-Data-Breach-395221/
I think no one see's the next step, The UEFI reqquires no bios chip, from what I have read. After Win 7 dies in a few years, after your MOBO fries, what are you going to replace your entertainment system with? The 7 inch screen, don't wear glasses. Don't look at it in the sun. Have to be near a city, where the big pipes are. Guess red-hat and the others are going to have to modify their codes to self run, not be accessed by the bios. Just think of what could have been given to the less fortunate, now they will have to accept limited futures of computing, Not the ever faster, smaller systems that can be programed, to do more, but only what a few want you to do....
Some kind souls are trying to disassembling UEFI
http://board.flatassembler.net/topic.php?t=14306&postdays=0&postorder=asc&start=0
Muchas Gracias, Señor Edward Snowden !
Buttle, pulling out UEFI chip: "Ah, there's your problem."
Lowry: "Can you fix it?"
Buttle: "No, but I can replace it with this."
How is this not extortion?
That used to be illegal.
The complexity of actually implementing UEFI Secure Boot along Microsoft's line will make it hell for hardware manufacturers who will have to add keys and deal with the whole vetting and testing processes. Much of what Microsoft does actually makes computing so complex that in the end OEM's will realize that letting users add their own keys will actually make it easier for the OEM's themselves to add new device drivers to their own machines and keep costs low. All of this hinges on the success of Windows 8 and by all indications Windows 8 will be the worst OS launch in Microsoft's history. I estimate that this will have a large blowback effect among OEM's who will be forced to completely re-think their relationship with Microsoft when Windows 8 fails to help them to compete against Apple. They will think to themselves "not only did MSFT force us to increase costs by implementing the unproven UEFI it put us in a worse position than if we had just installed Android on our tablets and left our desktops/laptops open for the user to decide and load their own keys!".
The end result is that a massive Windows 8 failure will prompt OEM vendors to start seriously considering putting Ubuntu or Red Hat on their machines as a counterpoint to increase their negotiating position against Microsoft should they attempt to hedge their bets. It is inevitable that after Chrome OS and Android are merged it will be the standard tablet/netbook OS of choice and not Windows 8 as Google is the only company with an operating system that can compete with Apple on an equal basis. Windows 8 attempting to compete with Apple in the tablet/laptop market is a cruel joke that Apple must be relishing.
Microsoft has the "illusion" of being an imperial and all powerful company but in reality the market will make the choice and it already has. They already lost 30% of their desktop market share to Linux and Mac OS X. Apple has the favor of the market majority in the tablet market at nearly 70% with Google Android making up the remaining balance. Microsoft currently has 1-2% market share for Windows 7 in the tablet market and Windows Mobile phone in the phone market. After the launch of Windows 8 expect these numbers to become even worse for Microsoft.
In the end of the day either buy a Mac and use Bootcamp to dual boot Linux or go to a Linux specific vendor like System 76 or Zareason and vote with your dollars... The irony is that in the not to distant future desktop Linux is the only thing that will save the OEM's from being dragged deeper into Microsoft's huge endless death spiral of failure and irrelevance. Linux will not only allow them [OEM's] to reignite innovation and compete on more equal terms with Apple it will allow them to regain control of their own machines and not take dictators orders from Microsoft...