* On 2012 05 Jun 12:26 -0500, Claudius Hubig wrote: > Hello Doug, > > Doug <dmcgarr...@optonline.net> wrote: > > I read the referenced post. It looks to me like Fedora will boot > > without hassle, because they paid off Microsoft, and obtained a key, > > but everything else, not having a key, will not. > > Yes. More precisely, they want to get a small piece of software > signed by Microsoft, so that the computer will boot this small piece > of software. It will then continue to load a Fedora-signed Grub, > which loads a Fedora-signed kernel, which only loads Fedora-signed > modules.
Ugghhh. So MS has finally figured out a way to make Linux subservient to their own ends. Nice. > ‘Modifying the BIOS’ only includes changing settings within the BIOS, > not flashing/upgrading the BIOS. It is comparable to changing the > boot device or something like that. Really? Just what guarantee is there that typical MS strong-arm contracting will result in that option being disabled on most, if not all, consumer devices? I'm going to guess the answer is somewhere between slim and none and Slim has one foot on a bannana peel and the other in the grave. > > If you can boot anything without a > > key, then what is different than what we have now? > > You will have to disable secure boot or add the key used to sign the > bootloader to your computer. Only if those options are made available by the manufacturer. > > (I don't care about modifying the BIOS, and so far I have not heard > > of a virus that attacks Linux, but I'm aware that it is > > possible--just not worth anyone's trouble to write, for such a small > > installed base.) > > The problem here is that ‘we’ want a chain of trust from the BIOS to > the desktop, so that malware cannot infect the kernel before it > loads[1]. This means that the BIOS/UEFI must only load stuff that is > deemed ‘safe’, which in turn - obviously - should only load other > stuff that is also safe [2]. Hence, a Linux distribution that wants to > boot by default from such devices must get signed by a key that is > contained within the UEFI by default - for example, Microsoft’s [3]. Who is 'we'? Sellouts? I neither want nor need any of this rot. Let MS rot in its malware hell, I don't wish to be bothered by it. I trust the Debian project and that is all the 'trust' I need. > In any case, the key point to remember is: > a) You can turn off secure boot completely. Maybe, maybe not. > b) Secure boot allows you to control more closely what software runs > on your computer [4]. I control it by booting Debian. I neither want nor need anyone else's permission to do so. > c) By reducing the possibilities to attack Windows [5], you also help > to reduce spam, DDoS attacks etc. Again, let MS rot in its malware hell. I don't care! Perhaps if MS had been a bit more proactive a couple of decades ago we would not be having this discussion. MSFT issues are not for us in the Debian or wider Linux community to resolve. If need be, community oriented hardware based on ARM and such will become the order of the day for general purpose computer. Consumer hardware is being made off-limits to the hobbyist. - Nate >> -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120605180127.gj6...@n0nb.us
