Re: [arch-general] UEFI secure boot
On Tue, Jun 05, 2012 at 04:54:58PM -0400, Joe(theWordy)Philbrook wrote:
It would appear that on Jun 4, Alexandre Ferrando did say:
On 4 June 2012 22:27, Sudaraka Wijesinghe <sudaraka.wijesinghe@gmail.com> wrote:
If this is a poll, I vote "Arch should require Secure Boot to be disabled"
I choose a distro like Arch because it doesn't have a financial motive and will not give into market pressures such as this. If we want keep hardware vendors from forcing Secure Boot on us, we have to send the message out that we don't want it. Paying a "small" price of M$99 is not the way.
However as free software users, we will have to endure some hard time in the coming days when getting new hardware.
Just my two cents.
Sudaraka.
I'd like to add something to what Sudaraka said:
Arch doesn't seems to have the same kind of user than fedora, Arch if I don't remember it wrong, tends to be aimed for a competent user. Such a competent user can disable secure boot in x86 devices. (ARM devices doesn't seem a problem to Arch because we don't do ARM)
And to that it appears that on Jun 5, Lukáš Jirkovský did add:
Assuming the Arch Users are competent, I'd rather let them add an Arch Linux key to UEFI without disabling Secure Boot. This way Arch would work with Secure Boot with added security of no one messing with bootloader in a harmful way.
Speaking as an Arch user who is just barely competent enough for Arch with much dependence on google and Arch's most excellent wiki, I'd like to see Arch continue to do what I see as one of it's strong points.
Yes it insists on it's users having a certain level of competence. But it generally seems willing to include fairly detailed step by step tutorials and guides in it's wiki, to help those with less (or outdated) technical expertise become more competent.
So how about somebody who knows how to disable secure boot on x86 devices post a good howto in the wiki (or if that would be reinventing the wheel, a link to a good external guide.)?
And likewise, in case some Arch user should inadvertently acquire some PC where somehow the firmware option to disable "Secure Boot" wasn't there. How about somebody who knows how to add an "Arch key" to UEFI, posting a wiki tutorial for that?
Speaking for myself, I know I wouldn't have a clue how to do either without a good tutorial. And it's starting to sound like I'm going to have to know how to do one or the other by the time I'm ready for new hardware...
My current desktop is from 2005, and it hasn't shown any signs of failing {yet}... {{Please God let me find such a tutorial when it does fail...}}
This is the arch-general mailing list not the microsoft windows mailing list so why are we discussing this?? MS Windows needs secure boot because it is subject to so many malware attacks, Arch Linux does not. Arch Linux is a miminalist distribution and each user adds his/her own customizations to their own setup. Do we want to lose this option because M$ is too lazy or does not want to do its job correctly. This is typical M$ BUMF make the user pay and screw them for all they can. Each certificate will have to be privately signed because there is no standard Arch Boot Procedure. BTW I read and understood the discussions referred to in the links to this thread. John
On Wed, 6 Jun 2012 21:35:15 +1000 John Briggs wrote:
MS Windows needs secure boot because it is subject to so many malware attacks, Arch Linux does not.
Not true. MS needs it more and may well have other motives for how it is designed like stopping customers from going back to the shop and installing Win7 instead of Win8 like happened with XP and Vista. There are cross platform boot malware that usually target windows and there are also targetted malware that attacks hardware features like intels cpu management mode (protected better on modern hardware). In fact boot is probably the weak link on Unix so if unix was targetted that would probably be a favourite. Googles Chrome OS (linux) was possibly the first major commercial player to try to protect against these things. Fortress linux thinks it's method is better?? Will Microsoft hike the $99 later if there are no other CAs? If you haven't signed please do. http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement p.s. One good thing, hopefully bios makers will employ decent hashes for their passwords soon rather than instantly recoverable ones without hardware access.
participants (2)
-
John Briggs
-
Kevin Chadwick