On 07/06/12 16:46, Miles Bader wrote: > Scott Ferguson <scott.ferguson.debian.u...@gmail.com> writes: >>>> You can't disable the code signing requirement on ARM. >>> >>> ... which is a great deal more worrying. >> >> Yes. And no. >> I'd hate to see a situation where it was impossible to buy an ARM (or >> other CPU based board) without UEFI that can be disabled - but I support >> devices that can be made to *only* run signed code *provided* MS is >> *not* the certificate agency. > > Would that mean anybody who wants to build their own kernel would need > to buy a signing key? > > -miles >
For a UEFI that conforms with Windoof 8 Secure Boot on ARM? I haven't seen a such a beast - my best guess according to the specifications is that you'd have two choices (Buckley's and none):- ;sign your OS (boot, through kernel to module) with a key already signed by the UEFI key ;convince a hardware manufacturer to add your key to the UEFI For a UEFI that conforms with Windoof 8 Secure Boot on x86[*1] the only example I'm aware of is the Sony tablet with the W8 developer preview. It allows for you to use a key that has been signed by Microsoft (the $99 sysdev key) and you also add your own key to the UEFI... apparently that would *require you typing it in* (256 characters). [*1]more about that here:- http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx NOTES: there are, and will continue to be devices for sale without MS pre-installed. Anyone buying a device with MS pre-installed with the intention of replacing it with GNU/Linux is shooting themselves in the foot and helping perpetuate the myth that MS has a monopoly (Apple and Google have more influence over manufacturers than MS). We are discussing UEFI as implemented by devices bearing the W8 flag - many devices won't have that UEFI. I visited two computer stores on the weekend - both had MS on less that 15% of the devices for sale, 100% of desktops, 80% of laptops, about 50% of netbooks - and sod all of the tablets, pads, and phones. So I doubt that many UEFI for ARM devices will be built with a MS Secure Boot UEFI. Getting your key (not signed by the CA) into a Windoof 8 UEFI would require the hardware manufacturer adding it (KEK) something that only Microsoft or an OEM could swing. Unless you're offering the manufacturer a lot of money it's unlikely they'd help you - even RedHat couldn't swing that deal. I suspect a hobbyist/system administrator will have two choices with the x86 Windoof 8 UEFI:- ;pay the CA $99 for an endorsed key, use it to sign your OS and it'll "just work" ;add your own key to the UEFI *if* your hardware allows adding one to the UEFI (doesn't look like UEFI for ARM will have that capacity) If you're in the business of supporting Debian then you'd pay the $99 that way the client can only run what you are contracted to support. Would that be providing MS with sustenance? Yes - though most of that $99 goes to Verisoft. If you're in the business of supporting a pre-installed Debian you'd need to deal with the hardware manufacturer to have a custom UEFI. I suspect that last option will be made available - MS no longer have the sway with hardware manufacturers they used to... MS hasn't had a monopoly for a while so can't negotiate from a position of strength (Apple and Google can though). On a positive note - I don't believe that Microsoft has drafted the terms of the W8 UEFI to include an unsecured boot mode out of fear of being prosecuted for monopolising the UEFI.... for W8 UEFI Secure Boot to work everything must be signed - even the IE plugins, Fffflash, Acrobat etc. Never going to happen - most Windoof users will want the ability to run unsigned code, hence the unsecure boot mode. My theory is that the MS UEFI wet dream is *only MS on W8*, not *only MS on the box*. Kind regards -- Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding answers to questions about Debian:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd559b8.4060...@gmail.com
