Re: Need more info: UEFI Secure Boot in Fedora [Long]

2012-06-01 Thread Alan Cox
> for the virtual machines and continue the chain. Note that you're > already half-way there with KVM, since most of its code runs in the > kernel itself. Not really. Chunks of kvm run in userspace so you'll now have to sign libc, qemu, every file qemu uses, ld.so , ... This is a general proble

Re: Need more info: UEFI Secure Boot in Fedora

2012-06-01 Thread Alan Cox
> > Demanding your money back because the board doesn't work as > > advertised cuts even more deeply into their profit margin. > > This might work with smaller retail suppliers and local shops but if > the board was advertised as supporting secure boot then you may find > that argument leaves you

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Joe Zeff
On 05/31/2012 10:13 AM, Bryn M. Reeves wrote: This might work with smaller retail suppliers and local shops but if the board was advertised as supporting secure boot then you may find that argument leaves you without much of a case particularly if a means to disable it was provided and documented

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Bryn M. Reeves
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/31/2012 06:06 PM, Joe Zeff wrote: > On 05/31/2012 03:31 AM, Alan Cox wrote: >> That will generally speaking exceed their profit margin on the >> board by quite a bit so will make them very keen to document it >> clearly for future users. > > Dem

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Joe Zeff
On 05/31/2012 03:31 AM, Alan Cox wrote: That will generally speaking exceed their profit margin on the board by quite a bit so will make them very keen to document it clearly for future users. Demanding your money back because the board doesn't work as advertised cuts even more deeply into the

Re: Need more info: UEFI Secure Boot in Fedora [Long]

2012-05-31 Thread Thibault NĂ©lis
On 05/31/2012 02:38 PM, Alan Cox wrote: It's of course all a bit of a joke because it's then a simple matter of using virtualisation to fake the "secure" environment and running the "secure" OS in that 8) The distributions can review the hypervisor code (then sign it as a symbol of trust) and

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Alan Cox
> The kernel is locked down and will implement signed checks of modules. > For the purpose of this example, I just neglected to show this as I was > explaining why the MS signed first stage loader was needed. It's more complex than that - way more complicated, even leaving aside any legality quest

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread William Brown
> > No - this is insufficient. The kernel must also be locked down, check > every module, disallow iopl3() [ie some X features], disallow ioperm for > most ports, prevent any user even root from loading their own kernel > modules etc. The kernel is locked down and will implement signed checks of

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Alan Cox
> Thanks for the reply and clearing the confusion. > and to make sure future boards i buy lets users disable secure boot. By far the best idea. As a kernel rights holder I question the legality of Matthew's proposal, and it would be amusingly unfortunate if the Software Conservancy ended up beginn

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Alan Cox
> Grub(2). This is signed by the fedora keys. It checks the signature of > the kernel against the fedora keys. > | > v > Kernel No - this is insufficient. The kernel must also be locked down, check every module, disallow iopl3() [ie some X features], disallow ioperm for most ports, prevent any use

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread William Brown
On 31/05/12 7:32 PM, Edward M wrote: > Hi, > > > I fully dont understand the approach that may be taken as workaround to > USFI Secure Boot for Fedora: > >The last option wasn't hugely attractive, but is probably the least > worst. Microsoft will be offering signing services through their s

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Edward M
On 05/31/2012 03:31 AM, Alan Cox wrote: If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key. Why sign it at all. Also if the boot loader was signed it wouldn't be al

Re: Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Alan Cox
> If there are better options then we haven't found them. So, in all > probability, this is the approach we'll take. Our first stage bootloader > will be signed with a Microsoft key. Why sign it at all. Also if the boot loader was signed it wouldn't be allowed to load anything else unsigne

Need more info: UEFI Secure Boot in Fedora

2012-05-31 Thread Edward M
Hi, I fully dont understand the approach that may be taken as workaround to USFI Secure Boot for Fedora: The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal . It's