Re: Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
Edward M writes:
On 05/31/2012 07:18 PM, Sam Varshavchik wrote:positive and confident that this entire kit-and-kaboodle has no choice but require a closed, hood-welded-shut OS, booted up with a signed chain, in order for it to work.Oracle Solaris?
Yes, I think that would qualify.I would truly like for someone who is a lot more knowledgable than me, in this area, to answer the following short list of simple questions for me. Please, I'm desperate to know the answers to the following. Someone, please have pity on me. I'm just feeling particularly stupid today, so someone needs to patiently explain this to me:
We're told that Fedora's bootloader is going to get signed – and by that, that must mean "grub", right?
And, grub can boot an arbitrary Linux kernel, right?So, a virus that wants to compromise a signed, secure bootload chain, can't it simply install Fedora's signed grub, configured to boot a bare-bones Linux kernel, nothing will prevent that, right?
And, Fedora can load any kernel module, right? Hence, load the virus code onto "bare metal", right?
Then, can't the loaded virus code simply reboot back into the original, Windows bootloader, that's now infected, and simply do what the virus would've done originally, in the absence of a signed bootloader, right?
If so, then what the FSCK did having an option for a signed bootloader accomplish, here???
I don't have any answers to these questions (like I said, I'm feeling a bit stupid today), but I do know one thing for sure. If everything that what's been publicly said on this subject, so far, is true, then:
Someone around here is a bloomin' idiot of the first degree. An absolute, total, clueless moron. Complete, and total, brain damage. That could be either myself – a possibility that I am perfectly willing to admit – or Microsoft; or whoever's pushing this.
The other possibility, of course, is that most of what's been publicly stated about this subject, has either been a complete lie or a fabrication; or certain crucial, fundamental details about this process, have been omitted. It just /cannot/ work the way it's been publicly announced.
Now, let me make a prediction of what I think is /really/ going to happen. After thinking about this, oh, for maybe five minutes, tops, I think I have up with the only answer that makes any logical sense, given everything that's been publicly said. With apologies to Sir Arthur Conan Doyle, whose literary masterpiece I'm about to butcher: when you exclude all possibilities that are logically impossible, whatever's left, no matter how highly improbable or bizarre, must be true.
What I'm convinced that this is all about, is that Red Hat will simply get Microsoft to sign a bootloader that will boot a kernel that's signed with Red Hat's private key. The kernel will be configured to load only kernel modules that are also signed by Red Hat's private key. OEMs that supply OEM binary blobs, for stuff like RAID cards, etc, that are certified with RHEL, will get Red Hat to sign their kernel modules for them, also for a token certification key. That's the hood, welded shut, that's absolutely mandatory for a secured bootloader to have any logical purpose, whatsoever.
Based on publicly known information to me, this is the only situation that makes any sense. Nothing else could possibly work, in any logical fashion.
Fedora is not going to be a part of this. In order to boot Fedora, it will be necessary to disable the secure bootload, on the hardware.
I welcome anyone to explain what part of the above is logically false, and why.
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
[Older Fedora Users] [Fedora Announce] [Fedora Package Announce] [EPEL Announce] [Fedora News] [Fedora Cloud] [Fedora Advisory Board] [Fedora Education] [Fedora Security] [Fedora Scitech] [Fedora Robotics] [Fedora Maintainers] [Fedora Infrastructure] [Fedora Websites] [Anaconda Devel] [Fedora Devel Java] [Fedora Legacy] [Fedora Desktop] [Fedora Fonts] [ATA RAID] [Fedora Marketing] [Fedora Management Tools] [Fedora Mentors] [SSH] [Find Someone Special] [Fedora Package Review] [Fedora R Devel] [Fedora PHP Devel] [Kickstart] [Fedora Music] [Fedora Packaging] [Centos] [Fedora SELinux] [Fedora Legal] [Fedora Kernel] [Fedora QA] [Fedora Triage] [Fedora OCaml] [Coolkey] [Virtualization Tools] [ET Management Tools] [Yum Users] [Tux] [Yosemite News] [Yosemite Photos] [Linux Apps] [Maemo Users] [Gnome Users] [KDE Users] [Fedora Tools] [Fedora Art] [Fedora Docs] [Maemo Users] [Asterisk PBX] [Fedora Sparc] [Fedora Universal Network Connector] [Libvirt Users] [Fedora ARM]