[Discuss] UEFI

[bogstad at pobox.com (Bill Bogstad)]

On Mon, Jun 18, 2012 at 8:50 AM, Edward Ned Harvey <blu at nedharvey.com> wrote:
>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Jack Coats
>>
>> So how long till this boot loader will have an 'open crack' available?
>>
>> The 'harder' the security, the bigger the target. ?If nothing else, I
>> am guessing someone will do a 'Fedora loader', load a minimal Fedora
>> that can boot something else from within using Fedora's 'legal' key.
>
> Maybe somebody else here knows what you're talking about, but I don't.

He's talking about the recent proposal to have Fedora create a
secure/signed boot system which will
be authorized by Microsoft to boot on "secure" hardware platforms:

http://mjg59.dreamwidth.org/12368.html

There's been lots of discussion on how this won't work/is bad for
Linux/etc. etc.   You shouldn't have any problem finding more details
if you are interested.

One of the most interesting comments that I've read on the subject is
that people may start hoarding kernel security bugs so they can more
easily break the chain of trust that Fedora will be implementing.
One non-nefarious reason to want to do this is to be able to load
unsigned kernel modules while not having to go into the BIOS and add
local keys.   I use VirtualBox and it compiles new kernel modules
whenever I install a new version.   Since I won't be able to sign
those modules with a key that Fedora trusts, I believe I will have to
insert my own keys into the BIOS and resign the entire boot system.

People who are interested in Linux on ARM systems will be out of luck
without a backdoor as Microsoft certified hardware will not allow
users to insert their own keys.

BTW, I don't think I completely understand how this will all work; but
I think the above is a good start for those who want to think about
it.

Bill Bogstad