No subject


Fri Jun 24 16:40:32 EST 2011


going to do.
Perhaps a release that firmly and fairly challenges OEMs to announce
their plans would be a good start?


I also have questions around virtual bootloaders....


Will UEFI eventually be implemented in hypervisors?
BW
email message attachment (Re: [Linux-aus] Fwd: What is LA's response to
UEFI Secure Boot?)
-------- Forwarded Message --------
From: James Turnbull <james at lovedthanlost.net>
Reply-to: james at lovedthanlost.net
To: linux-aus at lists.linux.org.au
Subject: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?
Date: Sat, 04 Aug 2012 23:02:14 -0700


Here's my ten cents - firstly what's your actual call to arms? Why
should anyone care about the issue? The press release should leave the
journo with a clear picture of: "UEFI Secure Boot is a danger to ... and
we would like x."

A good press release should be structured like:

1. Headline

What's it all about... "Linux Australia opposes UEFI Secure Boot"

2. Lead

Catchy short, paragraph grabbing the journo and laying out the problem
in two-three short sentences.  Half the journos that read press releases
have zero idea what the technology is and what the implications are so
you need to lay out what it actually is and why they should bother to
care about it and your opinion on it.

3. Position & Backup

LA's position is that ... whatever the position is ... because ... xyz.
Backed up my x other organisations/research/etc.

4. Call to arms

LA would like people/govt/industry to do x and y.

5. Closing & Follow-up

Linux Australia is the peak body for Linux and open source software in
Australia and represents ... blah blah constituents, LCA, LUGs, etc,
etc. Links to contacts for the issue/sites/news etc.

Regards

James Turnbull


email message attachment


email message attachment (Re: [Linux-aus] Fwd: What is LA's response to
UEFI Secure Boot?)
-------- Forwarded Message --------
From: Russell Coker <russell at coker.com.au>
Reply-to: russell at coker.com.au
To: linux-aus at lists.linux.org.au
Subject: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?
Date: Sun, 5 Aug 2012 16:21:19 +1000


On Sun, 5 Aug 2012, Adam Nielsen <a.nielsen at shikadi.net> wrote:
>    3. Secure Boot is great, providing we have control over the keys our
>       equipment recognises as valid.
> 
> My personal position is the last one.  I think Secure Boot could work well,
> if  I can remove the Microsoft keys (since they're bound to be compromised
> sooner or later) and install my own, only allowing my chosen Linux kernels
> to boot and nothing else.

For the personal use of people like me a solution could involve typing in a 
string of 32 hexadecimal digits.  For the general public that won't work.

So merely having control over the keys isn't adequate if the usability issues 
prevent most people from being able to perform reasonable tasks such as 
installing a random distribution of Linux.

Secure boot should be relatively easy to turn off by authorized people.  Years 
ago it was common to have a keyboard lock on the front of a PC.  Turn the key 
and no-one can type on an AT keyboard that's connected.  It wouldn't be 
difficult to design a PC in a similar manner, turn the physical key and you 
can install an OS without a RSA key - or update the BIOS set of keys in some 
easy manner.

The Red Hat solution of paying money to MS for a signature on their boot 
loader is a reasonable solution for them, but it's bad for Linux companies to 
be forced to pay money to MS.  Just imagine how MS would complain if they had 
to pay money to a company like IBM for signatures.  If the first IBM PC had 
such a boot lock then MS might not even exist as we know it today.

On Sun, 5 Aug 2012, Brent Wallis <brent.wallis at gmail.com> wrote:
> I also have questions around virtual bootloaders....
> 
> Will UEFI eventually be implemented in hypervisors?

I had the impression that someone had already written such support for testing 
UEFI booting.  But in terms of actual use, why bother?  With Xen or KVM you 
can boot a kernel that's stored outside the virtual machine environment.  In 
that case any trojan running in the VM can't attack it and any trojan that can 
attack it can probably do something worse than just attacking one VM.


email message attachment (Re: [Linux-aus] Fwd: What is LA's response to
UEFI Secure Boot?)
-------- Forwarded Message --------
From: Adam Nielsen <a.nielsen at shikadi.net>
To: linux-aus at lists.linux.org.au
Subject: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?
Date: Sun, 05 Aug 2012 17:34:42 +1000


>> I also have questions around virtual bootloaders....
>>
>> Will UEFI eventually be implemented in hypervisors?
>
> I had the impression that someone had already written such support for testing
> UEFI booting.  But in terms of actual use, why bother?  With Xen or KVM you
> can boot a kernel that's stored outside the virtual machine environment.  In
> that case any trojan running in the VM can't attack it and any trojan that can
> attack it can probably do something worse than just attacking one VM.

I thought the long-term idea behind Secure Boot was that once the OS kernel is 
secure, it can enforce the signing of applications too.  Unlike now, there 
would be no way to circumvent this by patching the kernel to allow unsigned 
applications to run, as then the kernel wouldn't be allowed to boot.  If your 
application hasn't been signed, you can't run it.

 From there it would be a simple matter to require all VM software to only 
boot correctly signed kernels within the VM, or MS won't sign the VM 
application.  Thus if (when?) this day arrives, you won't be able to boot an 
unsigned Linux kernel on your PC at all, not even in a VM...

Cheers,
Adam.



email message attachment (Re: [Linux-aus] Fwd: What is LA's response to
UEFI Secure Boot?)
-------- Forwarded Message --------
From: Bianca Gibson <bianca.rachel.gibson at gmail.com>
To: linux-aus at lists.linux.org.au
Subject: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?
Date: Sun, 5 Aug 2012 18:31:15 +1000

On 5 August 2012 13:20, Adam Nielsen <a.nielsen at shikadi.net> wrote:
        3. Secure Boot is great, providing we have control over the keys
        our
              equipment recognises as valid.

That was the consensus reached at the face to face. As Russel pointed
out, there could also be usability issues. We also need to plan the
release timing to make sure it will get attention - if we put it out at
a time when no one cares it won't generate any coverage or action.

Cheers,
Bianca

_______________________________________________
linux-aus mailing list
linux-aus at lists.linux.org.au
http://lists.linux.org.au/listinfo/linux-aus

--=-2oE1U7AxbbBwefBzPrN5
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.2.2">
</HEAD>
<BODY>
<BR>
<BR>
<PRE>

&nbsp; Hey All,
My 2c worth,

	1/ As we know Red hat/Fedora has done the deal with the devil
If all the biggies sign up are we pushing it up hill?,
	2/ the interesting one would be if I buy a putter online and chose no O/S (say like Dell or HP) would 
it still come with a locked UEFI?.

But hay I'm in, lets causes some shit

Regards
Graeme&nbsp; 
</PRE>
<TABLE CELLSPACING="0" CELLPADDING="0" BORDER="1">
<TR>
<TD>
<FONT SIZE="2">email message attachment (Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?)</FONT>
</TD>
</TR>
</TABLE>
-------- Forwarded Message --------<BR>
<B>From</B>: Brent Wallis &lt;<A HREF="mailto:Brent%20Wallis%20%3cbrent.wallis at gmail.com%3e">brent.wallis at gmail.com</A>&gt;<BR>
<B>To</B>: Bianca Gibson &lt;<A HREF="mailto:Bianca%20Gibson%20%3cbianca.rachel.gibson at gmail.com%3e">bianca.rachel.gibson at gmail.com</A>&gt;<BR>
<B>Cc</B>: <A HREF="mailto:linux-aus at lists.linux.org.au">linux-aus at lists.linux.org.au</A><BR>
<B>Subject</B>: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?<BR>
<B>Date</B>: Sun, 5 Aug 2012 12:55:54 +1000<BR>
<BR>
Hi,<BR>
<BR>
On Sun, Aug 5, 2012 at 11:03 AM, Bianca Gibson &lt;<A HREF="mailto:bianca.rachel.gibson at gmail.com">bianca.rachel.gibson at gmail.com</A>&gt; wrote:<BR>
<BLOCKQUOTE>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE>
    That'd be great :)<BR>
    <BR>
</BLOCKQUOTE>
<BR>
<BR>
All of the cruft,&nbsp;innuendo&nbsp;and troll nonsense aside from both sides....
Who would like to participate in an ad hoc group to do a press release draft?
<BR>
<BR>
me +1
BW
<BR>
<BR>
<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" BORDER="1">
<TR>
<TD>
<FONT SIZE="2">email message attachment (Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?)</FONT>
</TD>
</TR>
</TABLE>
-------- Forwarded Message --------<BR>
<B>From</B>: Adam Nielsen &lt;<A HREF="mailto:Adam%20Nielsen%20%3ca.nielsen at shikadi.net%3e">a.nielsen at shikadi.net</A>&gt;<BR>
<B>To</B>: <A HREF="mailto:linux-aus at lists.linux.org.au">linux-aus at lists.linux.org.au</A><BR>
<B>Subject</B>: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?<BR>
<B>Date</B>: Sun, 05 Aug 2012 13:20:54 +1000<BR>
<BR>
<PRE>
&gt; All of the cruft, innuendo and troll nonsense aside from both sides....
&gt; Who would like to participate in an ad hoc group to do a press release draft?

I'm happy to be involved.  What's our position?

   1. Secure Boot is bad and should not be allowed to go ahead in any form.

   2. Secure Boot could be bad so we must ensure it can be disabled if needed.

   3. Secure Boot is great, providing we have control over the keys our
      equipment recognises as valid.

My personal position is the last one.  I think Secure Boot could work well, if 
I can remove the Microsoft keys (since they're bound to be compromised sooner 
or later) and install my own, only allowing my chosen Linux kernels to boot 
and nothing else.

Cheers,
Adam.


</PRE>
<TABLE CELLSPACING="0" CELLPADDING="0" BORDER="1">
<TR>
<TD>
<FONT SIZE="2">email message attachment (Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?)</FONT>
</TD>
</TR>
</TABLE>
-------- Forwarded Message --------<BR>
<B>From</B>: Brent Wallis &lt;<A HREF="mailto:Brent%20Wallis%20%3cbrent.wallis at gmail.com%3e">brent.wallis at gmail.com</A>&gt;<BR>
<B>To</B>: Adam Nielsen &lt;<A HREF="mailto:Adam%20Nielsen%20%3ca.nielsen at shikadi.net%3e">a.nielsen at shikadi.net</A>&gt;<BR>
<B>Cc</B>: <A HREF="mailto:linux-aus at lists.linux.org.au">linux-aus at lists.linux.org.au</A><BR>
<B>Subject</B>: Re: [Linux-aus] Fwd: What is LA's response to UEFI Secure Boot?<BR>
<B>Date</B>: Sun, 5 Aug 2012 13:38:44 +1000<BR>
<BR>
Hi,<BR>
<BR>
On Sun, Aug 5, 2012 at 1:20 PM, Adam Nielsen &lt;<A HREF="mailto:a.nielsen at shikadi.net">a.nielsen at shikadi.net</A>&gt; wrote:
<BLOCKQUOTE>
    &gt; All of the cruft, innuendo and troll nonsense aside from both sides....<BR>
    &gt; Who would like to participate in an ad hoc group to do a press release draft?<BR>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE>
    I'm happy to be involved. &nbsp;What's our position?<BR>
    <BR>
    &nbsp; &nbsp;1. Secure Boot is bad and should not be allowed to go ahead in any form.<BR>
    <BR>
    &nbsp; &nbsp;2. Secure Boot could be bad so we must ensure it can be disabled if needed.<BR>
    <BR>
    &nbsp; &nbsp;3. Secure Boot is great, providing we have control over the keys our<BR>
    &nbsp; &nbsp; &nbsp; equipment recognises as valid.<BR>
    <BR>
    My personal position is the last one. &nbsp;I think Secure Boot could work well, if<BR>
    I can remove the Microsoft keys (since they're bound to be compromised sooner<BR>
    or later) and install my own, only allowing my chosen Linux kernels to boot<BR>
    and nothing else.
</BLOCKQUOTE>
<BR>
<BR>
Agreed. Point 3 works for me.


More information about the linux-aus mailing list