Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Clarifies Doubts Over UEFI Secure Boot Solution

Posted by Unknown on from the there-goes-freedom-one dept.

sfcrazy writes "Red Hat's Tim Burke has clarified Fedora/Red Hat's solution to Microsoft's secure boot implementation. He said, 'Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.'" Color me unimpressed, and certainly concerned: "A healthy dynamic of the Linux open source development model is the ability to roll-your-own. For example, users take Fedora and rebuild custom variants to meet personal interest or experiment in new innovations. Such creative individuals can also participate by simply enrolling in the $99 one time fee to license UEFI. For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost." From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right.

6 of 437 comments (clear)

  1. User key management by Junta · · Score: 4, Interesting

    self-register their own trusted keys on their own systems at no cost.

    How? Most reasonable mechanisms that could be envisioned would likely be considered an 'attack vector' in certain scenarios. I'm genuinely curious as to the mechanisms allowed for end-user key management in this sort of system.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  2. GPL v3 by M.+Baranczak · · Score: 3, Interesting

    Doesn't this violate the "anti-Tivo" clause of GPL v3? Sure, the kernel is still on v2, but the system can't run without all the v3 stuff.

    This will not stand, man.

  3. Re:Let me predict the future here. by DarwinSurvivor · · Score: 3, Interesting

    Except there's a new twist this time. Microsoft is REQUIRING secure-boot if OEM's want to put the "ceritified for windows" sticker on the machine. Believe it or not, that sticker is worth a LOT to OEM's.

  4. Re:Just say 'No' by gregthebunny · · Score: 4, Interesting

    Agreed! This is an opportunity for us to protest with our wallets. Not only will I be actively pursuing non-UEFI motherboards, but I will also be actively campaigning my colleagues, coworkers, friends, and family to not buy non-UEFI machines as well. Microsoft is trying to fix a system that isn't broken. They shouldn't have to rely on securities at the hardware and BIOS level to lock down their new operating systems. They should just, you know, build a more secure operating system...

  5. Re:So where's the security? by badfish99 · · Score: 3, Interesting

    So I'm a philanthropically-minded linux user with $99 to spare. I give that money to Microsoft, and they give me some magic key that lets me write linux kernels that will run on anyone's machine. I immediately publish that key on my website, for anyone to use. Now any criminal can use this key to run their malware on any machine.

    Obviously it doesn't work like this, or the whole scheme would be useless. So how is it going to work?

    I read TFA, and as far as I can tell, it *does* work like that: for $99, I get my key sent to the hardware vendors to be put into their UEFI boot chips. So will everyone get a free "bios upgrade" when I deliberately leak my key?

  6. Re:So where's the security? by bws111 · · Score: 4, Interesting

    Untrue. The requirement is that secure boot can not be disabled. If you have a signed bootloader (like one from Red Hat, Fedora, or any other distro that pays the $99 to use this service) you can boot any OS you want.