Subject: Secure Boot. Why don't you take the wind out of their sails?
(1) Now is the time to move quickly.
The development needs to be short and clear so that even a beginner can use it
immediately.
(2) The Problem:
Microsoft and allied companies have an idea to force a Microsoft (Verisign) key
on to hardware manufacturers which may be an attempt once again to bring in
anti-competitive practices and may decrease the uptake of Linux systems. The
"Secure boot key" proposed could in fact limit consumer choice and drag Grub2
into a fight none of its making.
(3) The Problem of Verbosity:
Grub2 already has the solution to protect Grub and therefore the kernels that
Grub boots, but that solution is currently unavailable because Grub developers
have no idea how to KISS.
Keep It Simple Silly. Long-winded geeky sentences have no place in Grub.
"in some environments, such as kiosks, it may be appropriate to lock down
the boot loader to require authentication before performing certain operations.
The ‘password’ (see Section 14.3.33 [password], page 62) and ‘password_pbkdf2’
(see
Section 14.3.34 [password pbkdf2], page 62) commands can be used to define
users, each
of which has an associated password. ‘password’ sets the password in plain
text, requiring
‘grub.cfg’ to be secure; ‘password_pbkdf2’ sets the password hashed using the
Password-
Based Key Derivation Function (RFC 2898), requiring the use of
grub-mkpasswd-pbkdf2
(see Chapter 30 [Invoking grub-mkpasswd-pbkdf2], page 101) to generate password
hashes.
In order to enable authentication support, the ‘superusers’ environment variable
must be set to a list of usernames, separated by any of spaces, commas,
semicolons, pipes,
or ampersands. Superusers are permitted to use the GRUB command line, edit menu
entries, and execute any menu entry. If ‘superusers’ is set, then use of the
command line
is automatically restricted to superusers."
The above is incomprehensible to most users who are not developers. Why not
just say:
"You can password-protect Grub. This will secure it against malware and
anybody taking over your computer."
(4) The Solution:
(a) Insert into the standard Grub Menu a link which says: Set a password on
Grub, which when clicked allows the user to do so.
(b) If this has already been done, then on switching on the computer, the
password dialog box should pop up prior to the boot Menu.
(c) If this is done then we already have Secure Boot and the administrators of
companies and home computers will have protected their computers and the
Microsoft initiative becomes unnecessary, at least for Secure Boot (Secure Bios
is another matter and another battle).
(d) do it quickly, keep it simple, keep it smart then tell the world what you
have done.
Computer journalists will love you for it.
Remember, it has to be easy to understand even to people new to computers can
quickly set a password on their boot.
(5) Who am I?
A pemsioner with no background in computing, science or mathematics.
I came to computing late and have been using only open-source software for 8
years.
I have 2 oldish computers. On one I am multi-bootiong 14 operating systems with
Grub2 (13 Linux + Haiku, an experimental modular operating system).
Best wishes
grahamc
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
