Am 02.06.2012 15:00, schrieb Michael Mol: > On Sat, Jun 2, 2012 at 3:43 AM, Florian Philipp <li...@binarywings.net> wrote: >> Am 02.06.2012 04:26, schrieb William Kenworthy: >>> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html >>> >>> and something I had not considered with the whole idea was even bootable >>> cd's and usb keys for rescue will need the same privileges ... > > [snip] > >> Okay, enough bashing the article. Some technical question: As I >> understand it, if I want to make a live CD or a distribution, all I'd >> need to do is to use Fedora's kernel and boot loader? That's not so bad. > > Or turn off 'secure boot' in the BIOS configuration menu. > > For Windows 8 certification, a device must _default_ to 'secure boot' > being turned on. You're allowed to turn it off, you just can't have > programmatic access to turn it off; it has to be done manually. >
Yes, that was my point (or part of it). The main issue is usability for the technically not so inclined. For the typical Gentoo user secure boot is not an issue is no more trouble than changing the boot order to boot from CD-ROM. For mainstream distros like Ubuntu or Fedora, it is an issue. But they can afford to spend 99$ *once* to just get a valid key. > I expect that'll be available in things like motherboards sold > directly to end-users. I expect it *won't* be available in whatever > the current iteration of Compaq/HP/Packard Hell all-in-one devices is; > manufacturers of those devices will still have keys installed to allow > debugging and maintenance tools to operate, but their signed tools > would only be available to their certified technicians. > As I understand it, having the chance to deactivate it is now mandatory for Windows certification but I could be wrong. > Does anyone know what crypto hash they're using to sign these things? > I imagine it won't be too long (3-4 years, tops) before either the > signing key leaks or collision attacks are figured out. > According to [1] it is SHA-256 and RSA-2048. If I understand it correctly, there are means to blacklist compromised keys. That's why Fedora cannot simply share their key but they will share their infrastructure and tools. [1] http://www.uefi.org/learning_center/UEFI_Plugfest_2011Q4_P5_Insyde.pdf Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature