Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Clarifies Doubts Over UEFI Secure Boot Solution

Posted by Unknown on from the there-goes-freedom-one dept.

sfcrazy writes "Red Hat's Tim Burke has clarified Fedora/Red Hat's solution to Microsoft's secure boot implementation. He said, 'Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.'" Color me unimpressed, and certainly concerned: "A healthy dynamic of the Linux open source development model is the ability to roll-your-own. For example, users take Fedora and rebuild custom variants to meet personal interest or experiment in new innovations. Such creative individuals can also participate by simply enrolling in the $99 one time fee to license UEFI. For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost." From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right.

9 of 437 comments (clear)

  1. So where's the security? by TheRaven64 · · Score: 5, Insightful

    If anyone can pay $99 to get a key that lets them install malware in anyone's firmware, then there is obviously no security in the system. I'd have thought this would be excellent grounds for an antitrust investigation...

    --
    I am TheRaven on Soylent News
    1. Re:So where's the security? by Hatta · · Score: 5, Insightful

      Microsoft learned after their last antitrust investigation, and increased their political contributions by an order of magnitude, without changing their business practices at all. Now that Microsoft has paid the appropriate protection money, they can do whatever they want.

      --
      Give me Classic Slashdot or give me death!
    2. Re:So where's the security? by vlm · · Score: 5, Insightful

      So "anyone" cannot do this. Only large corporations, with no liability, and lots of money, will be able to install malware from now on

      Luckily large corporations never have data breeches, so its not like you'll be able to go to wikileaks or pirate bay to get a copy of the MS secret key, or the Dell key, etc.

      That large integer will of course be made illegal, so only private citizens will have unsecured systems. The hard core crooks and the slightly-bent will of course have free reign over everyones system.

      I'm sure they'll be another moronic legal battle where some 256 bit or 2048 bit or whatever integer is declared persona non-grata on the internet, stupid restraining orders, blah blah blah, all over again.

      Who wants to buy a tee shirt with Microsofts UEFI secret key on it? I give it a couple months till someone releases it, maybe even before the hardware hits the shelves, and a couple hours later I'll fetch it from pirate bay or whatever, and a couple hours later I'll put up a shirt design. Just to be a complete A-hole I'll also make shirts that have equations, too, so it'll be something like 32523136136 minus 1.

      I'll go further with my prediction. Malware will be found signed with a legit "major corporate" key BEFORE legit hardware/software using "major corporate" key hits the shelves, in at least one instance. In other words your new Dell, for example, will be ownable before you can even buy it.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:So where's the security? by vlm · · Score: 5, Funny

      Oh genius hits milliseconds after I hit the Fing submit button... A tee shirt with a QR code of the official microsoft secret signing key with iconic 1984 or maybe animal farm styling.

      Coming soon, from VLM enterprises...

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    4. Re:So where's the security? by Anpheus · · Score: 5, Insightful

      You're confusing the keys that have previously been publicly available and the private keys here. Unlike the previous keys, this isn't part of a DRM scheme where the user has to be able to decrypt content and simultaneously "not have" the key to do so. DRM is fundamentally flawed in that regard, and DRM schemes are routinely broken because they cannot both obscure the content and show it to you at the same time. At some point, your computer has to possess the ability to unlock the next frame, and smart people figured out how to copy that. Ta-da, AACS key, or HDCP master key. Those weren't failures of public key cryptography, they were leaked because the universe is at odds with DRM.

      What private keys of note have been hacked? Recently, a weak Microsoft intermediate certificate key was exploited to use to generate code signing certs, but that was a weak key with a poor algorithm (MD5 hashed thumbprint). Or Sony's private key for the PS3? Well, they implemented their crypto wrong, one of the supposed-to-be-random parameters was instead hardcoded as a constant. Oops.

      Dell, Microsoft, the big players, they all work very hard to make sure their private keys are secure. Would you care to take a wager on whether or not the Microsoft root key will be released within the next year? (By root I mean whatever key is the common root used to sign a plurality of UEFI signed bootloaders, if they use many intermediate CAs, it would have to be whatever key is for all of those CAs. If they use one intermediary that signs a majority of the bootloaders, then it must be that one - does not have to be _the_ Microsoft key.)

    5. Re:So where's the security? by Anonymous Coward · · Score: 5, Informative

      Actually, this is not quite correct. For ARM systems, Windows forces hardware manufacturers to make it IMPOSSIBLE for someone to install another OS. (It's in their license for Windows 8)

  2. FUCKING stupid by inode_buddha · · Score: 5, Insightful

    "Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative."

    Fucking STUPID. Since when in their entire history has Microsoft ever done anything in "good faith"?? Morons! *ALL * you need to do is read a few court cases...

    --
    C|N>K
  3. Re:Just say 'No' by a90Tj2P7 · · Score: 5, Insightful

    Secure boot, which is what you're concerned about, is just a feature in UEFI. Which has been the BIOS replacement for years. It's not new, it's not an MS creation, and it's not limited to secure boot. Saying you won't buy any PC or mobo that has UEFI because of secure boot is like saying you won't buy any with BIOS if it doesn't have overclocking settings.

  4. Re:The Red Hat Wizard Falls Under Sauron's Spell by a90Tj2P7 · · Score: 5, Informative

    UEFI is an OEM Software Vendor's bald-faced grab at monopoly power. Microsoft would be the key generator. Redhat would pay Microsoft a one-time fee per user machine, which RH figures likely to be a one-time $99 fee. This charge would be per machine, not per user, as it is likely that no 2 computers on the same network can have the same key.

    I couldn't make it through the first paragraph without hitting ridiculous levels of FUD. MS isn't the key generator. They're not even the generator of their own key. The license isn't per-machine, it's per-source/vendor. There's no kind of per-machine restriction, in any way, shape or form.