Fedora 18 to support UEFI Secure Boot

[bigflopper2]

Matthew Garrett, kernel developer at Red Hat, has given details of the plans to ship Fedora 18 with the ability to boot under UEFI secure boot. The Secure Boot technology of UEFI will be enabled by default on future Windows 8 hardware and is designed to ensure that only appropriately digitally signed operating systems will boot.

As the only company actively pursuing this signing was Microsoft, the requirement had led many to conclude that Microsoft was locking other operating systems out of future PCs. Microsoft modified their position to allow x86 Windows machines to disable the secure boot option or to allow users to enrol their own keys, but Garrett says that "it's not really an option to force all our users to play with hard-to-find firmware settings before they can run Fedora".


http://www.h-online.com/open/news/it...t-1588057.html

[Penguinclaw]

Areeing to hook up with Microsoft for $99 so we can use their signing service..... bit unpleasant. They seem hell bent on making money out of everyone. I wonder how this sits with Fedoras principle of supplying only free software? Also I feel sorry for the small one man Linux distros that are struggling financially as it is.

Personally I think the whole thing stinks and they should be investigated for trying to monopolise the computer world

[Gareth Jones]

I'm not sure that this is a politically clever move by Red Hat and Fedora with respect to the Linux community. It sets a precedent which has implications. Still, as long as the kernel and GRUB limitations are disabled when I disable "secure" boot I can live with it.

[bigflopper2]

Quote:

Originally Posted by Penguinclaw

Areeing to hook up with Microsoft for $99 so we can use their signing service..... bit unpleasant. They seem hell bent on making money out of everyone. I wonder how this sits with Fedoras principle of supplying only free software? Also I feel sorry for the small one man Linux distros that are struggling financially as it is.

Personally I think the whole thing stinks and they should be investigated for trying to monopolise the computer world

there is nothing to add in my mind

[joncr]

I'd wager that the typical computer use has never booted into the BIOS. Garrett is probably correct that requiring that to install Linux is asking too much.

As I understand this, a user dual booting Windows and an unsigned Linux, essentially an unsigned Linux boot loader, is likely to find that boot loader blacklisted by Microsoft, with the result that an eventual Microsoft update will render Windows, if not the machine, unbootable. That prospect would be a serious roadblock to attracting new people to Linux.

Apple is at least as committed to signing as Microsoft, so I would expect them to either go along with the MS scheme or implement their own. If that happens, and if the only way to run Linux is to disable secure boot, then Linux users will become the prime target for pre-boot malware.

We are rapidly heading to a world with signed software and signed hardware and all that implies. Linux, as a community, needs to come to terms with that. Spouting invective against Microsoft or Red Hat won't help at all. Ideas might.

[witek]

Microsoft won once again - it dictates which operating system one can boot on one`s hardware.

[RupertPupkin]

From the discussion on slashdot it seems like a lot of nonsense is being spread about this by people who hate Red Hat (mostly users of other distros who for some reason don't like how successful Red Hat has been) and have trouble with reading comprehension. This is a one-time $99 fee (yes, 99 whole dollars!) that is just a convenience for inexperienced users who don't want to (or, more likely, incapable of figuring out how to) go into the UEFI setup and disable Secure Boot (or enroll their own keys). That's right, $99 paid exactly once by Red Hat, not by anyone else or by any users.

Red Hat's Matthew Garrett explains it in this article:

Quote:

We explored the possibility of producing a Fedora key and encouraging hardware vendors to incorporate it, but turned it down for a couple of reasons. First, while we had a surprisingly positive response from the vendors, there was no realistic chance that we could get all of them to carry it. That would mean going back to the bad old days of scouring compatibility lists before buying hardware, and that's fundamentally user-hostile. Secondly, it would put Fedora in a privileged position. As one of the larger distributions, we have more opportunity to talk to hardware manufacturers than most distributions do. Systems with a Fedora key would boot Fedora fine, but would they boot Mandriva? Arch? Mint? Mepis? Adopting a distribution-specific key and encouraging hardware companies to adopt it would have been hostile to other distributions. We want to compete on merit, not because we have better links to OEMs.

An alternative was producing some sort of overall Linux key. It turns out that this is also difficult, since it would mean finding an entity who was willing to take responsibility for managing signing or key distribution. That means having the ability to keep the root key absolutely secure and perform adequate validation of people asking for signing. That's expensive. Like millions of dollars expensive. It would also take a lot of time to set up, and that's not really time we had. And, finally, nobody was jumping at the opportunity to volunteer. So no generic Linux key.

The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.

As Garrett says, this solution is not ideal but was the "least worst" one, and I agree. For both newbies and companies it will lower the "barrier for entry" to Fedora. For experienced users it won't even be an issue, as they will know how to disable Secure Boot in the UEFI setup so they can install whatever distro or OS they want. All for the measly one-time price of $99 (as someone on slashdot said, that $99 is less than it would cost Red Hat to even discuss the issue for 15 minutes with their attorneys ).

People should read that article before jumping to conclusions. As someone on slashdot said, there's a tendency for FUD to be spread by "people who don't have the foggiest idea of what's going on but see 'M$' and instantly go full retard." To that I would add that there is a segment of Linux users who go "full retard" over anything Red Hat does involving money (OMG, $99 to M$!, I'm boycotting Red Hat! ).

[dd_wizard]

And it didn't even go to Microsoft! What's the big deal about paying Verisign a $99 signing fee? This thread is good reading. A lot of thought went into the decision, and the people involved in making it would love for someone to suggest a better alternative.

dd_wizard

[Penguinclaw]

Don't get me wrong I am NOT slagging Red Hat or Fedora... my question was on the ethics from Fedoras standpoint. As you can see from the os I'm posting from I do use Microsoft (although morally I'd be happier not to). I think it would be nice of perhaps Microsoft and venders in helping the Linux community in using this (actually great) security feature.

I see these Golliath corporations making billions and I think to myself "Why can't they put something back into the computer world". I really don't think that as a desktop, Linux will ever be able to seriously compete with them. But we add as developers, programmers, even users so much back to the computer world; often for no financial gain. My interest is computers. My OS of choice is Linux, but I help many people I know sort out their pc problems for free.

So if any big wigs at MS, Asus etc read this; please think about what you could do.

[Gareth Jones]

Quote:

Originally Posted by joncr

We are rapidly heading to a world with signed software and signed hardware and all that implies. Linux, as a community, needs to come to terms with that.

It's not something that can be "come to terms with". Only allowing software to run that has been signed (by a central authority) is fundamentally incompatible with free/open-source software, at least from a programmer's point of view. Yes, a distro can have its software signed, thus hiding the problem from normal users, but the only way Red Hat can get Fedora signed by Microsoft/whomever (the whoever is frankly irrelevant, I've no more problem with MS than I have with Apple or Google, or Red Hat or any other authority that isn't me frankly), is to have a "shim" boot-loader that the user never modifies, and to sign GRUB, the kernel, and any modules itself, and enforce signed-code only, at least in ring 0.

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I, the user, administrator and legal owner of this machine, compiled/wrote/want this, I trust it, deal with it", then it's a problem. Luckily, for now, "trusted" boot can still be disabled.

[Penguinclaw]

Quote:

Originally Posted by Gareth Jones

It's not something that can be "come to terms with". Only allowing software to run that has been signed (by a central authority) is fundamentally incompatible with free/open-source software, at least from a programmer's point of view. Yes, a distro can have its software signed, thus hiding the problem from normal users, but the only way Red Hat can get Fedora signed by Microsoft is to have a "shim" boot-loader that the user never modifies, and to sign GRUB, the kernel, and any modules itself (and enforce signed-code only, at least in ring 0).

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I compiled\/wrote this, I trust it, deal with that", then it's a problem. Luckily, for now, "trusted" boot can still be disabled.

+1 Totally in agreement

[RupertPupkin]

Quote:

Originally Posted by Gareth Jones

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I compiled\/wrote this, I trust it, deal with that", then it's a problem.

Garrett's article mentions that users who want to build their own kernel will be able to "generate their own key and enrol it in their system firmware. We'll trust anything that's signed with a key that's present in the firmware."

[joncr]

Quote:

Originally Posted by Gareth Jones

It's not something that can be "come to terms with". Only allowing software to run that has been signed (by a central authority) is fundamentally incompatible with free/open-source software, at least from a programmer's point of view. Yes, a distro can have its software signed, thus hiding the problem from normal users, but the only way Red Hat can get Fedora signed by Microsoft is to have a "shim" boot-loader that the user never modifies, and to sign GRUB, the kernel, and any modules itself (and enforce signed-code only, at least in ring 0).

Unless the system allows me to compile/write my own kernel code, and sign it myself as "I compiled\/wrote this, I trust it, deal with that", then it's a problem. Luckily, for now, "trusted" boot can still be disabled.

I agree 100 percent. But, I'm not a developer. There's a similar fuss going on in the Apple world where developers will be required to get their products vetted and signed before they can appear in one of the App stores. I'm a Mac user, too, so I sympathize with those developers, but only so much.

When I argue we need to come to terms with it, that reflects my confidence that there is nothing we can do about it.

If MS is going to be pushed to change its plans, I suggest the effort be to convince them to avoid the "your hardware won't work unless we say so" approach and simply warn Windows users when pre-boot malware has been found. They can even disable Windows, for all I care. Their ability to disable or effectively outlaw other software should be resisted, through the courts, preferably.

I.e., I think MS has right to determine if a user's machine is harboring code that threatens to infect other machines running Windows. I think they have a right to react to that as they choose as long as those actions are restricted to the Windows ecology. That's as far as it goes.

Realistically, though, unless someone mounts a concerted legal challenge, I don't think MS will change course.

[dd_wizard]

My favorite quote from the replies to mjg's blog:

Quote:

Re: Totally unacceptable
Date: 2012-05-31 09:16 pm (UTC)
From: (Anonymous)
"They would have had enough corporate and market power to prevent this situation from arising."

You're labouring under a huge misconception here. We don't have such power, quite simply.

Note pjones' caveat about the Windows 8 *Client* logo. As he says, this does not apply to servers. He invites you to draw your own conclusion. The obvious conclusion is that the combined 'corporate and market power' of people who write server OSes (us, and others), people who manufacture servers, and people who use them is such that they don't want this mess in that market, and it won't be. Fine.

But no, Red Hat absolutely does not have the 'corporate and market power' to impose our desires on the consumer PC hardware market. You'd like if it we did. I'm sure we'd like it if we did. But we don't.

--adamw

Adam summed it up pretty well, and I love the implications for MS in the server world.

dd_wizard

[Penguinclaw]

Quote:

Originally Posted by joncr

Realistically, though, unless someone mounts a concerted legal challenge, I don't think MS will change course.

Maybe a job for the EU as they forced MS to offer other web browsers by default other than IE to the user ( in Europe anyway!). Not sure about the US political system but I'm sure freedom is a personal right in America. If enough stink is created, politicians usually think "I could get votes out of this"!

---------- Post added at 12:29 AM ---------- Previous post was at 12:25 AM ----------

Quote:

Originally Posted by dd_wizard

My favorite quote from the replies to mjg's blog:

Adam summed it up pretty well, and I love the implications for MS in the server world.

dd_wizard

Totally agree. Unfortunately