[arch-general] UEFI secure boot
Matthew Garret(Redhat) has written[1] an updated and interesting blog on this topic; which of course will impact arch too ... sharing in case anyone hasn't seen it: http://mjg59.dreamwidth.org/12368.html gene/ [1] Also discussed some in fedora ML
On 05/31/2012 10:48 AM, Genes MailLists wrote:
[1] Also discussed some in fedora ML
FYI - The fedora dev discussion is titled : *countable infinities only .. gene
Just to add another fedora link: https://fedoraproject.org/wiki/User:Pjones/Features/SecureBoot Sounds like they till plan to make use of the UEFI CA $99 signing service from Microsoft. Do you think Arch should follow suit or require instead that Secure Boot is disabled? gene/
Am 04.06.2012 20:18, schrieb Genes MailLists:
Just to add another fedora link:
https://fedoraproject.org/wiki/User:Pjones/Features/SecureBoot
Sounds like they till plan to make use of the UEFI CA $99 signing service from Microsoft.
Do you think Arch should follow suit or require instead that Secure Boot is disabled?
No. 1) Do not buy locked down hardware if possible. 2) On x86 you should be able to disable secure boot or put our signing key in there. -- Pierre Schmitz, https://pierre-schmitz.com
On 06/04/2012 02:55 PM, Pierre Schmitz wrote:
Do you think Arch should follow suit or require instead that Secure Boot is disabled?
No.
1) Do not buy locked down hardware if possible.
All new hardware (x86 anyway) will have this enabled by default best I can tell, (1) is probably not an option.
2) On x86 you should be able to disable secure boot or put our signing key in there.
Well yes - how to do that is what the discussion is largely about - a nice summary of the options is here: http://mjg59.dreamwidth.org/12368.html gene/
1) Do not buy locked down hardware if possible.
All new hardware (x86 anyway) will have this enabled by default best I can tell, (1) is probably not an option.
A lot of people (and businesses) will still want to use Windows XP or 7, years after Windows 8, so I think OEMs will make sure that works. -- damjan
On 06/04/12 23:48, Genes MailLists wrote:
Just to add another fedora link:
https://fedoraproject.org/wiki/User:Pjones/Features/SecureBoot
Sounds like they till plan to make use of the UEFI CA $99 signing service from Microsoft.
Do you think Arch should follow suit or require instead that Secure Boot is disabled?
gene/
If this is a poll, I vote "Arch should require Secure Boot to be disabled" I choose a distro like Arch because it doesn't have a financial motive and will not give into market pressures such as this. If we want keep hardware vendors from forcing Secure Boot on us, we have to send the message out that we don't want it. Paying a "small" price of M$99 is not the way. However as free software users, we will have to endure some hard time in the coming days when getting new hardware. Just my two cents. Sudaraka.
On 4 June 2012 22:27, Sudaraka Wijesinghe <sudaraka.wijesinghe@gmail.com> wrote:
On 06/04/12 23:48, Genes MailLists wrote:
Just to add another fedora link:
https://fedoraproject.org/wiki/User:Pjones/Features/SecureBoot
Sounds like they till plan to make use of the UEFI CA $99 signing service from Microsoft.
Do you think Arch should follow suit or require instead that Secure Boot is disabled?
gene/
If this is a poll, I vote "Arch should require Secure Boot to be disabled"
I choose a distro like Arch because it doesn't have a financial motive and will not give into market pressures such as this. If we want keep hardware vendors from forcing Secure Boot on us, we have to send the message out that we don't want it. Paying a "small" price of M$99 is not the way.
However as free software users, we will have to endure some hard time in the coming days when getting new hardware.
Just my two cents.
Sudaraka.
I'd like to add something to what Sudaraka said: Arch doesn't seems to have the same kind of user than fedora, Arch if I don't remember it wrong, tends to be aimed for a competent user. Such a competent user can disable secure boot in x86 devices. (ARM devices doesn't seem a problem to Arch because we don't do ARM) Just my two cents. Alexandre
On 06/04/2012 04:44 PM, Alexandre Ferrando wrote: ...
Arch doesn't seems to have the same kind of user than fedora, Arch if I don't remember it wrong, tends to be aimed for a competent user. Such a competent user can disable secure boot in x86 devices.
... Yep - I agree about technical competence. In fact I'm delighted to be here :-) (Ex fedora user since RH3 or so). Perhaps, then, it might just mean the inconvenience of toggling it off/on via firmware each time if you ever needed to dual boot MS - windows 8 will def not boot with it off. Best I can tell, at least for now, it will be disableable (if that's a word). gene/
Am Mon, 4 Jun 2012 22:44:31 +0200 schrieb Alexandre Ferrando <alferpal@gmail.com>:
Arch doesn't seems to have the same kind of user than fedora, Arch if I don't remember it wrong, tends to be aimed for a competent user. Such a competent user can disable secure boot in x86 devices. (ARM devices doesn't seem a problem to Arch because we don't do ARM)
Well, there is an ARM port of Arch Linux even if it's unofficial and unsupported. But as far as I know UEFI secure boot only needs to be activated and must not be deactivated, if ARM computers are shipped with Windoze, because this is only written in an M$ policy and not in a law. So principally it shouldn't be a problem for hardware manufacturers to assemble ARM computers without UEFI secure boot or with a UEFI secure boot which can be disabled, if they either preinstall Linux, Android or just ship it without Windoze resp. any OS. If there will be such hardware manufacturers is another question. But I'm not too pessimistic if I think of the Raspberry Pi e.g. Heiko
On Mon, Jun 4, 2012 at 3:27 PM, Sudaraka Wijesinghe <sudaraka.wijesinghe@gmail.com> wrote:
On 06/04/12 23:48, Genes MailLists wrote:
Just to add another fedora link:
https://fedoraproject.org/wiki/User:Pjones/Features/SecureBoot
Sounds like they till plan to make use of the UEFI CA $99 signing service from Microsoft.
Do you think Arch should follow suit or require instead that Secure Boot is disabled?
gene/
If this is a poll, I vote "Arch should require Secure Boot to be disabled"
It's not a poll. I don't see how your ( idea / lack of choice ) is any better. Cheers, Sander
On 4 June 2012 22:27, Sudaraka Wijesinghe <sudaraka.wijesinghe@gmail.com> wrote:
If this is a poll, I vote "Arch should require Secure Boot to be disabled"
I choose a distro like Arch because it doesn't have a financial motive and will not give into market pressures such as this. If we want keep hardware vendors from forcing Secure Boot on us, we have to send the message out that we don't want it. Paying a "small" price of M$99 is not the way.
However as free software users, we will have to endure some hard time in the coming days when getting new hardware.
Just my two cents.
Sudaraka.
Assuming the Arch Users are competent, I'd rather let them add an Arch Linux key to UEFI without disabling Secure Boot. This way Arch would work with Secure Boot with added security of no one messing with bootloader in a harmful way. Lukas
On 5 June 2012 09:54, Lukáš Jirkovský <l.jirkovsky@gmail.com> wrote:
On 4 June 2012 22:27, Sudaraka Wijesinghe <sudaraka.wijesinghe@gmail.com> wrote:
If this is a poll, I vote "Arch should require Secure Boot to be disabled"
I choose a distro like Arch because it doesn't have a financial motive and will not give into market pressures such as this. If we want keep hardware vendors from forcing Secure Boot on us, we have to send the message out that we don't want it. Paying a "small" price of M$99 is not the way.
However as free software users, we will have to endure some hard time in the coming days when getting new hardware.
Just my two cents.
Sudaraka.
Assuming the Arch Users are competent, I'd rather let them add an Arch Linux key to UEFI without disabling Secure Boot. This way Arch would work with Secure Boot with added security of no one messing with bootloader in a harmful way.
Lukas
Just wondering - why does it have to be Microsoft's Key to used? Could there be an Arch Linux provided key that would allow a Secure Boot? Thanks calvin
On 06/05/2012 11:25 AM, Calvin Morrison wrote:
Just wondering - why does it have to be Microsoft's Key to used? Could there be an Arch Linux provided key that would allow a Secure Boot?
Thanks
calvin
To be a bit more precise - the key belongs to the owner as always. It's the signing of the key by a Certificate Authority that is the second step - it is expensive to create a CA (as discussed in mjg's blog) - Microsoft offers a UEFI CA service to sign your key. Fedora plans to have their Fedora key signed by the UEFI CA - so no further change to the firmware is needed. They also are putting some tools together to help users to self sign their own key - which is used it to sign the boot loader (etc) and also to store the CA key in the firmware so the signed bootloader will be approved by Secure Boot using your own private CA. In order for there to be an Arch provided key - it would need either to be signed by the UEFI CA or self signed with the CA key stored in firmware ... or something like that. I don't yet know how MS UEFI CA key updates get installed into the firmware? I suppose it will be done much like a bios update. gene/
On 5 June 2012 17:25, Calvin Morrison <mutantturkey@gmail.com> wrote:
Just wondering - why does it have to be Microsoft's Key to used?
It doesn't. You can sign boot loader using your own key. But then you need to store this key in UEFI firmware. This is actually what I'm suggesting – that we should create an Arch Linux bootloader signing key that will be used for signing boot stuff. Users would have to store this key in their UEFI prior installing Arch Linux.
It would appear that on Jun 4, Alexandre Ferrando did say:
On 4 June 2012 22:27, Sudaraka Wijesinghe <sudaraka.wijesinghe@gmail.com> wrote:
If this is a poll, I vote "Arch should require Secure Boot to be disabled"
I choose a distro like Arch because it doesn't have a financial motive and will not give into market pressures such as this. If we want keep hardware vendors from forcing Secure Boot on us, we have to send the message out that we don't want it. Paying a "small" price of M$99 is not the way.
However as free software users, we will have to endure some hard time in the coming days when getting new hardware.
Just my two cents.
Sudaraka.
I'd like to add something to what Sudaraka said:
Arch doesn't seems to have the same kind of user than fedora, Arch if I don't remember it wrong, tends to be aimed for a competent user. Such a competent user can disable secure boot in x86 devices. (ARM devices doesn't seem a problem to Arch because we don't do ARM)
And to that it appears that on Jun 5, Lukáš Jirkovský did add:
Assuming the Arch Users are competent, I'd rather let them add an Arch Linux key to UEFI without disabling Secure Boot. This way Arch would work with Secure Boot with added security of no one messing with bootloader in a harmful way.
Speaking as an Arch user who is just barely competent enough for Arch with much dependence on google and Arch's most excellent wiki, I'd like to see Arch continue to do what I see as one of it's strong points. Yes it insists on it's users having a certain level of competence. But it generally seems willing to include fairly detailed step by step tutorials and guides in it's wiki, to help those with less (or outdated) technical expertise become more competent. So how about somebody who knows how to disable secure boot on x86 devices post a good howto in the wiki (or if that would be reinventing the wheel, a link to a good external guide.)? And likewise, in case some Arch user should inadvertently acquire some PC where somehow the firmware option to disable "Secure Boot" wasn't there. How about somebody who knows how to add an "Arch key" to UEFI, posting a wiki tutorial for that? Speaking for myself, I know I wouldn't have a clue how to do either without a good tutorial. And it's starting to sound like I'm going to have to know how to do one or the other by the time I'm ready for new hardware... My current desktop is from 2005, and it hasn't shown any signs of failing {yet}... {{Please God let me find such a tutorial when it does fail...}} -- | ~^~ ~^~ | <*> <*> Joe (theWordy) Philbrook | ^ J(tWdy)P | \___/ <<jtwdyp@ttlc.net>>
On 5 June 2012 22:54, Joe(theWordy)Philbrook <jtwdyp@ttlc.net> wrote:
Speaking as an Arch user who is just barely competent enough for Arch with much dependence on google and Arch's most excellent wiki, I'd like to see Arch continue to do what I see as one of it's strong points.
Yes it insists on it's users having a certain level of competence. But it generally seems willing to include fairly detailed step by step tutorials and guides in it's wiki, to help those with less (or outdated) technical expertise become more competent.
So how about somebody who knows how to disable secure boot on x86 devices post a good howto in the wiki (or if that would be reinventing the wheel, a link to a good external guide.)?
AFAIK this depends on the motherboard, so a general description of how to disable secure boot is probably not viable.
And likewise, in case some Arch user should inadvertently acquire some PC where somehow the firmware option to disable "Secure Boot" wasn't there. How about somebody who knows how to add an "Arch key" to UEFI, posting a wiki tutorial for that?
Ditto.
On Thursday 31 May 2012 10:48:27 Genes MailLists wrote:
Matthew Garret(Redhat) has written[1] an updated and interesting blog on this topic; which of course will impact arch too ... sharing in case anyone hasn't seen it:
http://mjg59.dreamwidth.org/12368.html
gene/
[1] Also discussed some in fedora ML
My opinion on this topic is as follows: 1. Secure Boot is not completely bad. There can be legitimate purposes to using Secure Boot. Though in a linux community, there will be no top- down usage. I don't think the need is with repsect to the distribution of the software since the package signing and similar mechanisms already exist for the same. However, on an individual level, the secure boot can be used to prevent individual tampering of machines. For example, anyone cannot just turn on my machine and then try to boot through USB and then change something on my system. He will have to either crack the BIOS or do something similar which is much more difficult I am guessing. I am not 100% percent sure but this is the gist of the feature. I think Linus Torvalds also supports this [0]. 2. While this feature is good, it is not always required and hence, may create additional trouble/overhead for experimental adventures or even some normal work. Hence, there should be an option to boot without the secure boot being enabled. 3. The sole reason Fedora is going with this approach is the fact that target users of Fedora include people who put in the CD ROM and let the installer install everything automatically. They don't want people to have to go into BIOS and fiddle with things. ArchLinux user is a hacker by spirit whether competent or not. Going into BIOS and reading some BIOS manuals should not be much more difficult than trying to install /boot partition on LVM in the current state of ArchLinux installation procesure. 4. There are problems with using a Microsoft key. Recently there was a news that the Microsoft key was used to insert the Flame malware into computers. While I don't have anything against Microsoft, it seems simple that trusting by default a key that can be exploited is bound to create problems, especially as the key is not under your control [1] My solution to this is as follows: a. An advanced user should be expected add his key to the BIOS and then use it if he wants to use the Secure Boot. There should be provision in the mkinitcpio or some similar utility to sign the appropriate files with the appropriate key. b. There should be an option to create the files without signing for normal non-secure boot. c. The next question is of the ArchLinux DVD distribution and the initial bootloader. For this, I guess, we can offer Microsoft-signed or ArchLinux-signed images so that people are able to boot into the installer without going into the BIOS. This way, people who have less skill set and are afraid to go into the BIOS and change things are not stymied at the first step itself. I personally delayed installing ArchLinux on my computer for around two months due to my semester. However, in the mean time, I tried the ArchLinux CD and went on trying a new thing and going one step further every weekend on a different hard drive and by the end of the semester I did not really have to stop and learn about ArchLinux. My point is that people may just try out the ArchLinux CD trying to figure out what to do once they reach the command line root prompt. For them, having to go into the boot menu and disabling the option everytime they boot from a signed system to unsigned is irritating. This will not push away people but it is irritating all the same. -- Cheers Jayesh Badwaik stop html mail | always bottom-post www.asciiribbon.org | www.netmeister.org/news/learn2quote.html [0] http://www.muktware.com/news/2865/linus-torvalds-secure-boot-good- can-be-used-bad-ways [1] http://arstechnica.com/security/2012/06/flame-wields-rare-collision- crypto-attack/
On Thursday 31 May 2012 10:48:27 Genes MailLists wrote:
Matthew Garret(Redhat) has written[1] an updated and interesting blog on this topic; which of course will impact arch too ... sharing in case anyone hasn't seen it:
http://mjg59.dreamwidth.org/12368.html
gene/
[1] Also discussed some in fedora ML
My opinion on this topic is as follows: 1. Secure Boot is not completely bad. There can be legitimate purposes to using Secure Boot. Though in a linux community, there will be no top- down usage. I don't think the need is with repsect to the distribution of the software since the package signing and similar mechanisms already exist for the same. However, on an individual level, the secure boot can be used to prevent individual tampering of machines. For example, anyone cannot just turn on my machine and then try to boot through USB and then change something on my system. He will have to either crack the BIOS or do something similar which is much more difficult I am guessing. I am not 100% percent sure but this is the gist of the feature. I think Linus Torvalds also supports this [0]. 2. While this feature is good, it is not always required and hence, may create additional trouble/overhead for experimental adventures or even some normal work. Hence, there should be an option to boot without the secure boot being enabled. 3. The sole reason Fedora is going with this approach is the fact that target users of Fedora include people who put in the CD ROM and let the installer install everything automatically. They don't want people to have to go into BIOS and fiddle with things. ArchLinux user is a hacker by spirit whether competent or not. Going into BIOS and reading some BIOS manuals should not be much more difficult than trying to install /boot partition on LVM in the current state of ArchLinux installation procesure. 4. There are problems with using a Microsoft key. Recently there was a news that the Microsoft key was used to insert the Flame malware into computers. While I don't have anything against Microsoft, it seems simple that trusting by default a key that can be exploited is bound to create problems, especially as the key is not under your control [1] My solution to this is as follows: a. An advanced user should be expected add his key to the BIOS and then use it if he wants to use the Secure Boot. There should be provision in the mkinitcpio or some similar utility to sign the appropriate files with the appropriate key. b. There should be an option to create the files without signing for normal non-secure boot. c. The next question is of the ArchLinux DVD distribution and the initial bootloader. For this, I guess, we can offer Microsoft-signed or ArchLinux-signed images so that people are able to boot into the installer without going into the BIOS. This way, people who have less skill set and are afraid to go into the BIOS and change things are not stymied at the first step itself. I personally delayed installing ArchLinux on my computer for around two months due to my semester. However, in the mean time, I tried the ArchLinux CD and went on trying a new thing and going one step further every weekend on a different hard drive and by the end of the semester I did not really have to stop and learn about ArchLinux. My point is that people may just try out the ArchLinux CD trying to figure out what to do once they reach the command line root prompt. For them, having to go into the boot menu and disabling the option everytime they boot from a signed system to unsigned is irritating. This will not push away people but it is irritating all the same. -- Cheers Jayesh Badwaik stop html mail | always bottom-post www.asciiribbon.org | www.netmeister.org/news/learn2quote.html [0] http://www.muktware.com/news/2865/linus-torvalds-secure-boot-good- can-be-used-bad-ways [1] http://arstechnica.com/security/2012/06/flame-wields-rare-collision- crypto-attack/
participants (11)
-
Alexandre Ferrando
-
Calvin Morrison
-
Damjan Georgievski
-
Genes MailLists
-
Heiko Baums
-
Jayesh Badwaik
-
Joe(theWordy)Philbrook
-
Lukáš Jirkovský
-
Pierre Schmitz
-
Sander Jansen
-
Sudaraka Wijesinghe