Re: Fedora ARM and SecureBoot
On 06/08/2012 06:37 PM, Adam Jackson wrote: On Fri, 2012-06-08 at 18:14 +0100, Andrew Haley wrote: On 06/08/2012 05:42 PM, Adam Jackson wrote: And - though it pains me that this next thought might actually be unpopular, though closer investigation might reveal that I'm giving the feature too much credit, and without considering or conceding whether such a machine would be non-free - I'm pretty sure I am willing to sacrifice a minor technical point of software freedom for real gains in human freedom. I suppose I don't know what minor technical point of software freedom you're talking about. I presume it's not the freedom to change a program so it does your computing as you wish, which is scarcely a minor anything. It's more like is building or supporting a machine with this kind of lockdown intrinsically non-free. Well, that depends. Can you change the program (in this case, a kernel) and run it, or not? It's not a difficult or obscure question. I didn't intend to make it sound like you were advocating that kind of objection, I apologize if I put words in your mouth there. I'm not objecting, I'm just trying to find out what's up. Andrew. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 08/06/12 15:00, drago01 wrote: Doubt that as they have near zero market power in that segment right now. One of the leaders in that space is selling locked down devices and nobody seems to care. Just for the record, according to the European law, it is illegal to create hindrance for free trade without regards how much market power you have. And that's still something else than misusing dominant position on the market (which is also much less than 50% ... depends on whether you have really a dominant position). Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 08:07 AM, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. You don't need to be an Oracle to see where all of this is going. Cheers, Mario And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. In fact, the whole concept of preventing dual-booting, and requiring x86 hardware to come with Secure Boot enabled by default probably won't fly either. That too is anti-competitive. . -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, Jun 8, 2012 at 2:47 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 08:07 AM, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. You don't need to be an Oracle to see where all of this is going. Cheers, Mario And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. Doubt that as they have near zero market power in that segment right now. One of the leaders in that space is selling locked down devices and nobody seems to care. In fact, the whole concept of preventing dual-booting, Nothing is preventing dual booting. and requiring x86 hardware to come with Secure Boot enabled by default probably won't fly either. Adding a security feature does fly just fine. That too is anti-competitive. Not really no. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 09:00 AM, drago01 wrote: On Fri, Jun 8, 2012 at 2:47 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 08:07 AM, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. You don't need to be an Oracle to see where all of this is going. Cheers, Mario And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. Doubt that as they have near zero market power in that segment right now. One of the leaders in that space is selling locked down devices and nobody seems to care. In fact, the whole concept of preventing dual-booting, Nothing is preventing dual booting. and requiring x86 hardware to come with Secure Boot enabled by default probably won't fly either. Adding a security feature does fly just fine. That too is anti-competitive. Not really no. Oh please. It's disrupting the entire x86 ecosystem. It's destroying the existing freedoms that users of other operating systems currently enjoy on x86 hardware. It's impacting business models of companies that rely on open-source operating systems that run on x86 hardware. And it's security in name only. . -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, Jun 8, 2012 at 2:11 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 09:00 AM, drago01 wrote: On Fri, Jun 8, 2012 at 2:47 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 08:07 AM, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. You don't need to be an Oracle to see where all of this is going. Cheers, Mario And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. Doubt that as they have near zero market power in that segment right now. One of the leaders in that space is selling locked down devices and nobody seems to care. In fact, the whole concept of preventing dual-booting, Nothing is preventing dual booting. and requiring x86 hardware to come with Secure Boot enabled by default probably won't fly either. Adding a security feature does fly just fine. That too is anti-competitive. Not really no. Oh please. It's disrupting the entire x86 ecosystem. It's destroying the existing freedoms that users of other operating systems currently enjoy on x86 hardware. It's impacting business models of companies that rely on open-source operating systems that run on x86 hardware. It's not doing any of that because you can disable it in the BIOS on x86. The whole purpose of this is to allow for a more secure OS and for something that works out of the box. Peter -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 09:20 AM, Peter Robinson wrote: On Fri, Jun 8, 2012 at 2:11 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 09:00 AM, drago01 wrote: On Fri, Jun 8, 2012 at 2:47 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 08:07 AM, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. You don't need to be an Oracle to see where all of this is going. Cheers, Mario And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. Doubt that as they have near zero market power in that segment right now. One of the leaders in that space is selling locked down devices and nobody seems to care. In fact, the whole concept of preventing dual-booting, Nothing is preventing dual booting. and requiring x86 hardware to come with Secure Boot enabled by default probably won't fly either. Adding a security feature does fly just fine. That too is anti-competitive. Not really no. Oh please. It's disrupting the entire x86 ecosystem. It's destroying the existing freedoms that users of other operating systems currently enjoy on x86 hardware. It's impacting business models of companies that rely on open-source operating systems that run on x86 hardware. It's not doing any of that because you can disable it in the BIOS on x86. The whole purpose of this is to allow for a more secure OS and for something that works out of the box. Peter It does all that on x86 exactly because it is enabled by default. And on Win8 ARM you cannot disable. . -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
Once upon a time, Gerry Reno gr...@verizon.net said: And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. You mean they don't have iPads and Android tablets in the EU? -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 10:11 AM, Chris Adams wrote: Once upon a time, Gerry Reno gr...@verizon.net said: And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. You mean they don't have iPads and Android tablets in the EU? They do. And there are certainly anti-competitive claims that can be made related to certain ARM platforms. And now Samsung on latest devices has made it almost dead simple to unlock the bootloader. They can see the handwriting on the wall. And I expect we'll see all these bootloaders unlocked in the near future. . -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, 2012-06-07 at 15:16 -0500, Chris Adams wrote: Once upon a time, Adam Jackson a...@redhat.com said: If there are ARM machines where UEFI and Secure Boot are available, we're going to have tools to do your own trust database management anyway, so why would supporting them be any different from doing the same on x86? For Windows 8 certification on ARM, Microsoft is going to require UEFI with Secure Boot enabled _and_ no method for users to disable Secure Boot or enroll their own keys (the opposite of x86 where they require a disable method and custom key enrollment support). And? I wasn't speaking to we should sign our arm images with Microsoft's key, I was speaking to we should support Secure Boot on arm. If someone wants to build an arm machine with SB support capable of running non-Windows operating systems, why would we not want to run there, and why would enabling that look any different from self-signing an x86 machine? - ajax signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 04:24 PM, Adam Jackson wrote: On Thu, 2012-06-07 at 15:16 -0500, Chris Adams wrote: Once upon a time, Adam Jackson a...@redhat.com said: If there are ARM machines where UEFI and Secure Boot are available, we're going to have tools to do your own trust database management anyway, so why would supporting them be any different from doing the same on x86? For Windows 8 certification on ARM, Microsoft is going to require UEFI with Secure Boot enabled _and_ no method for users to disable Secure Boot or enroll their own keys (the opposite of x86 where they require a disable method and custom key enrollment support). And? I wasn't speaking to we should sign our arm images with Microsoft's key, I was speaking to we should support Secure Boot on arm. If someone wants to build an arm machine with SB support capable of running non-Windows operating systems, why would we not want to run there, and why would enabling that look any different from self-signing an x86 machine? Forgive me if I'm missing something, but surely the reason we would not want to run there is that our users would not be able to do so as well: they wouldn't be able to modify our kernel and run it on their machine. Andrew. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Jun 8, 2012, at 6:47 AM, Gerry Reno wrote: And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. There's no such prevention. It's just that by voluntary agreement some ARM hardware is being manufactured with Secure Boot enabled and disabling it isn't possible. To use other OS's requires they be capable of supporting Secure Boot, on such hardware. That doesn't seem to be anti-competitive at all. In fact, the whole concept of preventing dual-booting, and requiring x86 hardware to come with Secure Boot enabled by default probably won't fly either. That too is anti-competitive. There is no such concept preventing dual-booting. There is no requirement for UEFI hardware to come with SB enabled by default, outside of a voluntary agreement reached between hardware vendor and Microsoft in exchange for a specific marketing label. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Jun 8, 2012, at 8:33 AM, Gerry Reno wrote: On 06/08/2012 10:11 AM, Chris Adams wrote: You mean they don't have iPads and Android tablets in the EU? They do. And there are certainly anti-competitive claims that can be made related to certain ARM platforms. I don't think anti-competition law means what you think it means. And Apple has had a rather closed hardware platform pre-dating iOS devices. Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, 2012-06-08 at 16:29 +0100, Andrew Haley wrote: On 06/08/2012 04:24 PM, Adam Jackson wrote: And? I wasn't speaking to we should sign our arm images with Microsoft's key, I was speaking to we should support Secure Boot on arm. If someone wants to build an arm machine with SB support capable of running non-Windows operating systems, why would we not want to run there, and why would enabling that look any different from self-signing an x86 machine? Forgive me if I'm missing something, but surely the reason we would not want to run there is that our users would not be able to do so as well: they wouldn't be able to modify our kernel and run it on their machine. I chose my words carefully. I think you're hearing Secure Boot on arm and concluding immutable Secure Boot configuration, which to my knowledge is not a given. It's a given for machines that will ship with Windows for arm on them, and one can choose to be angry at Microsoft for that I suppose, but that's not necessarily a statement about the broader arm ecosystem. Personally I really like the idea of establishing my own trust chain on my own machines. I like the idea that I can get the assurance that my firmware hasn't been rooted _and_ not rely on anyone else's cert safety practices but my own. If I'm the sort of person who's taking my computer into hostile territory - insert oppressive government of choice here - that level of trust is potentially life saving. And - though it pains me that this next thought might actually be unpopular, though closer investigation might reveal that I'm giving the feature too much credit, and without considering or conceding whether such a machine would be non-free - I'm pretty sure I am willing to sacrifice a minor technical point of software freedom for real gains in human freedom. Software freedom is a means, not an end. Microsoft's requirements for SB on x86 enable that kind of trust for Linux (and for anyone else who wants it). It's possible to build arm machines the same way; they won't be able to run Windows, but whatever, as if I want to run Windows anyway. If arm machines like that were to exist, why _wouldn't_ we want to support them? For that matter, why would we not want to enable building them? - ajax signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 11:55 AM, Chris Murphy wrote: On Jun 8, 2012, at 6:47 AM, Gerry Reno wrote: And I expect this idea of preventing other OS's from being installed on Win8 ARM hardware will not fly in the EU. It's anti-competitive. There's no such prevention. It's just that by voluntary agreement some ARM hardware is being manufactured with Secure Boot enabled and disabling it isn't possible. To use other OS's requires they be capable of supporting Secure Boot, on such hardware. That doesn't seem to be anti-competitive at all. No. It's entirely anti-competitive: http://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/ http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, 2012-06-08 at 14:07 +0200, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 01:04 PM, Adam Williamson wrote: On Fri, 2012-06-08 at 14:07 +0200, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim-intels-ultrabooks -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On 06/08/2012 05:42 PM, Adam Jackson wrote: On Fri, 2012-06-08 at 16:29 +0100, Andrew Haley wrote: On 06/08/2012 04:24 PM, Adam Jackson wrote: And? I wasn't speaking to we should sign our arm images with Microsoft's key, I was speaking to we should support Secure Boot on arm. If someone wants to build an arm machine with SB support capable of running non-Windows operating systems, why would we not want to run there, and why would enabling that look any different from self-signing an x86 machine? Forgive me if I'm missing something, but surely the reason we would not want to run there is that our users would not be able to do so as well: they wouldn't be able to modify our kernel and run it on their machine. I chose my words carefully. I think you're hearing Secure Boot on arm and concluding immutable Secure Boot configuration, which to my knowledge is not a given. It's a given for machines that will ship with Windows for arm on them, and one can choose to be angry at Microsoft for that I suppose, but that's not necessarily a statement about the broader arm ecosystem. Personally I really like the idea of establishing my own trust chain on my own machines. I like the idea that I can get the assurance that my firmware hasn't been rooted _and_ not rely on anyone else's cert safety practices but my own. If I'm the sort of person who's taking my computer into hostile territory - insert oppressive government of choice here - that level of trust is potentially life saving. I have no objection to such a secure boot either. And - though it pains me that this next thought might actually be unpopular, though closer investigation might reveal that I'm giving the feature too much credit, and without considering or conceding whether such a machine would be non-free - I'm pretty sure I am willing to sacrifice a minor technical point of software freedom for real gains in human freedom. I suppose I don't know what minor technical point of software freedom you're talking about. I presume it's not the freedom to change a program so it does your computing as you wish, which is scarcely a minor anything. Software freedom is a means, not an end. Microsoft's requirements for SB on x86 enable that kind of trust for Linux (and for anyone else who wants it). It's possible to build arm machines the same way; they won't be able to run Windows, but whatever, as if I want to run Windows anyway. If arm machines like that were to exist, why _wouldn't_ we want to support them? For that matter, why would we not want to enable building them? As long as the technology isn't used to bind users, no reason at all. Andrew. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, Jun 08, 2012 at 01:07:20PM -0400, Gerry Reno wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim-intels-ultrabooks And you won't be able to run Fedora on them unless you can install your own keys. I think everything that could usefully be said in this thread has already been said. -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, 2012-06-08 at 13:07 -0400, Gerry Reno wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: On Fri, 2012-06-08 at 14:07 +0200, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim-intels-ultrabooks The question of whether anyone's going to buy them is, however, unsettled. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, 2012-06-08 at 18:14 +0100, Andrew Haley wrote: On 06/08/2012 05:42 PM, Adam Jackson wrote: And - though it pains me that this next thought might actually be unpopular, though closer investigation might reveal that I'm giving the feature too much credit, and without considering or conceding whether such a machine would be non-free - I'm pretty sure I am willing to sacrifice a minor technical point of software freedom for real gains in human freedom. I suppose I don't know what minor technical point of software freedom you're talking about. I presume it's not the freedom to change a program so it does your computing as you wish, which is scarcely a minor anything. It's more like is building or supporting a machine with this kind of lockdown intrinsically non-free. At least, that's an objection I've heard, from people trying to equate SB with DRM or the DMCA, which is a bit fallacious, or from the Microsoft is involved so it must be bad crowd. SB's just a technology, I believe positive use can be made of it, and DFSG 6 cuts both ways. I didn't intend to make it sound like you were advocating that kind of objection, I apologize if I put words in your mouth there. - ajax signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Jun 8, 2012, at 10:46 AM, Gerry Reno wrote: No. It's entirely anti-competitive: http://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/ http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/ You're confusing restriction of user choice and freedom with anti-competition. The argument that this is anti-competitive when Microsoft ARM hardware is a tiny part of the market is uncompelling. This is mentioned in the first article. Further, it is possible, while presently difficult perhaps, to run a different OS on such hardware that requires Secure Boot. But I haven't read a compelling argument how this difficulty can't be dealt with, let alone how it makes the policy anti-competitive. To boot a non-Windows 8 operating system requires the same steps as Microsoft needs to get the hardware to boot Windows 8. What's the additional burden being applied to non-Windows 8 systems? Chris Murphy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Friday, 8 בJune 2012 20:07:20 Gerry Reno wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim- intels-ultrabooks Hmmm... we've seen this Windows-on-non-x86 movie twice before: - Remember Alpha's? Digital (RIP) really thought MS would give them the keys to the kingdom. There was a released version. It was good enough to frighten Intel at the time (which was probably the reason MS did it). Linux sold manyfolds more Alpha's than Windows. - Ahhh, and of course MS found new suckers who bought the same used story few years later (yes, I'm talking about Windows/PPC that lived a very short life). So far, MS failed misserably in the cellular space so there's a good chance their exclusionary move on ARM will only help convince vendors that shipping Androids (and by extension other Linuces) is safer bet. -- Oron Peled Voice: +972-4-8228492 o...@actcom.co.il http://users.actcom.co.il/~oron linux/reboot.h: #define LINUX_REBOOT_MAGIC1 0xfee1dead -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, Jun 8, 2012 at 2:15 PM, Oron Peled o...@actcom.co.il wrote: On Friday, 8 בJune 2012 20:07:20 Gerry Reno wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim- intels-ultrabooks Hmmm... we've seen this Windows-on-non-x86 movie twice before: - Remember Alpha's? Digital (RIP) really thought MS would give them the keys to the kingdom. There was a released version. It was good enough to frighten Intel at the time (which was probably the reason MS did it). Linux sold manyfolds more Alpha's than Windows. - Ahhh, and of course MS found new suckers who bought the same used story few years later (yes, I'm talking about Windows/PPC that lived a very short life). So far, MS failed misserably in the cellular space so there's a good chance their exclusionary move on ARM will only help convince vendors that shipping Androids (and by extension other Linuces) is safer bet. -- I heard (a rumor?) that MS has 100,000 phones in the public. Granted, it's not much, but it might be a start. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, Jun 8, 2012 at 6:07 PM, Gerry Reno gr...@verizon.net wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: On Fri, 2012-06-08 at 14:07 +0200, Mario Torre wrote: On Thu, 2012-06-07 at 14:34 -0500, Chris Adams wrote: that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. One should be very, very careful with sentences like this one. With more and more machines turning to ARM, simply dismiss it as a don't buy a Win8 ARM *may* possibly work right now, but it will turn against us in the future. That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim-intels-ultrabooks I don't see why your seeing Microsoft as the problem here, they're a whole lot more friendly of late than Apply has been, they're a whole lot more trust worthy than most companies, they're an issuer of a signing certificate and if the lock it down I have no doubt they'll not only have the US govt and the EU screwing then down so they can't fart without asking. I would sooner MS with their recent warming towards Linux (Bing and other of their products use linux, mass contribution to OSM etc) than Apple or our supposed friends Oracle. I think we need to put some perspective we're dealing with x86 now and for ARM there's not even shipping products yet, and Windows RT is so restricted and it's not like there's not 1000's of ARM devices already on the market not running windows and not under MS control, you also just have to look at organisations like Linaro which are sponsored by ARM SoC manufacturers. Look at the current ARM market income based on platforms currently and lets look at how much of their income comes from Microsoft and how much comes from Linux and ask most of them if they would want to impact their current income? Unlikely. Peter -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Fri, Jun 8, 2012 at 10:47 PM, Richard Vickery richard.vicker...@gmail.com wrote: On Fri, Jun 8, 2012 at 2:15 PM, Oron Peled o...@actcom.co.il wrote: On Friday, 8 בJune 2012 20:07:20 Gerry Reno wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim- intels-ultrabooks Hmmm... we've seen this Windows-on-non-x86 movie twice before: - Remember Alpha's? Digital (RIP) really thought MS would give them the keys to the kingdom. There was a released version. It was good enough to frighten Intel at the time (which was probably the reason MS did it). Linux sold manyfolds more Alpha's than Windows. - Ahhh, and of course MS found new suckers who bought the same used story few years later (yes, I'm talking about Windows/PPC that lived a very short life). So far, MS failed misserably in the cellular space so there's a good chance their exclusionary move on ARM will only help convince vendors that shipping Androids (and by extension other Linuces) is safer bet. -- I heard (a rumor?) that MS has 100,000 phones in the public. Granted, it's not much, but it might be a start. Shocking!! There's over 700,000 Android device activations every day! 250m odd devices... they have a little catch up to do! -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Saturday, 9 בJune 2012 00:47:30 Richard Vickery wrote: On Fri, Jun 8, 2012 at 2:15 PM, Oron Peled o...@actcom.co.il wrote: On Friday, 8 בJune 2012 20:07:20 Gerry Reno wrote: On 06/08/2012 01:04 PM, Adam Williamson wrote: That is only assuming that Windows on ARM is successful, of which so far there's been precious little indication. There is a tidal wave of these PC ARM devices coming: http://www.itworld.com/hardware/240039/qualcomm-targets-pcs-takes-aim- intels-ultrabooks Hmmm... we've seen this Windows-on-non-x86 movie twice before: - Remember Alpha's? Digital (RIP) really thought MS would give them the keys to the kingdom. There was a released version. It was good enough to frighten Intel at the time (which was probably the reason MS did it). Linux sold manyfolds more Alpha's than Windows. - Ahhh, and of course MS found new suckers who bought the same used story few years later (yes, I'm talking about Windows/PPC that lived a very short life). So far, MS failed misserably in the cellular space so there's a good chance their exclusionary move on ARM will only help convince vendors that shipping Androids (and by extension other Linuces) is safer bet. I heard (a rumor?) that MS has 100,000 phones in the public. Granted, it's not much, but it might be a start. If your numbers are correct it means some MS employees and family members were deprived of the right to carry MS phones and still have to use IOS or (shock, horror, awe) Android phones... ;-) -- Oron Peled Voice: +972-4-8228492 o...@actcom.co.il http://users.actcom.co.il/~oron No, You Can't Have My Rights, I'm Still Using Them -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from Fedora, but this doesn't help respins and mods and even custom kernels---more likely on ARM because of the its relative newness and faster pace of development. People pointed out that MS hardware requirements for ARM don't have anwhere near the market coverage/importance as in the x86 sector, so they argue that it's OK to ignore the issue. Indeed, currently majority of ARM hardware just doesn't care about MS, but Secure Boot is a reflection of the industry trend seeking more security (*) so it's conceivable that more digital signing is in ARM's future, too. So, what is the current thinking? (*) this is true whether one agrees with it or not, and whatever one thinks about SecureBoot technical merit. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, Jun 7, 2012 at 7:14 PM, Przemek Klosowski przemek.klosow...@nist.gov wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from That's incorrect. The plan is to support secure boot only on x86. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, Jun 07, 2012 at 01:14:57PM -0400, Przemek Klosowski wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from Fedora, but this doesn't help respins and mods and even custom kernels---more likely on ARM because of the its relative newness and faster pace of development. I (personally) have no desire to support scenarios where it's impossible for the user to install their own keys, so I have no intention of working on this. It's technically possible, but I think it's incompatible with Fedora's goals. -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
Once upon a time, Przemek Klosowski przemek.klosow...@nist.gov said: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from Fedora No, if you read what was said, they are specifically _not_ going to cover ARM, because that would be attempting to put Fedora on a platform that would not allow custom kernel and such. Don't support the locked down platform; the answer to Fedora on ARM is don't buy a Win8 ARM system and expect to run Fedora. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, Jun 7, 2012 at 6:14 PM, Przemek Klosowski przemek.klosow...@nist.gov wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from Fedora, but this doesn't help respins and mods and even custom kernels---more likely on ARM because of the its relative newness and faster pace of development. People pointed out that MS hardware requirements for ARM don't have anwhere near the market coverage/importance as in the x86 sector, so they argue that it's OK to ignore the issue. Indeed, currently majority of ARM hardware just doesn't care about MS, but Secure Boot is a reflection of the industry trend seeking more security (*) so it's conceivable that more digital signing is in ARM's future, too. So, what is the current thinking? The current thinking is wait and see. MS is not a leader in the market and the route that most vendors are going in the non MS ARM market is to allow users to disable the security. From the phone perspective where it might be a carrier requirement it's not a market we're even looking at and it's very hard to tell because it's very early in the MS section of the game anyway. Also at the moment there's lots of very usable HW which isn't a problem. Peter -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, 2012-06-07 at 13:14 -0400, Przemek Klosowski wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from Fedora, but this doesn't help respins and mods and even custom kernels---more likely on ARM because of the its relative newness and faster pace of development. People pointed out that MS hardware requirements for ARM don't have anwhere near the market coverage/importance as in the x86 sector, so they argue that it's OK to ignore the issue. Indeed, currently majority of ARM hardware just doesn't care about MS, but Secure Boot is a reflection of the industry trend seeking more security (*) so it's conceivable that more digital signing is in ARM's future, too. So, what is the current thinking? What's to decide? There are no ARM machines where getting Fedora signed by someone else would improve our ability to boot, so why would we bother getting someone else to sign Fedora on ARM? If there are ARM machines where UEFI and Secure Boot are available, we're going to have tools to do your own trust database management anyway, so why would supporting them be any different from doing the same on x86? - ajax signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, 2012-06-07 at 21:12 +0200, drago01 wrote: On Thu, Jun 7, 2012 at 7:14 PM, Przemek Klosowski przemek.klosow...@nist.gov wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from That's incorrect. The plan is to support secure boot only on x86. What gives you that impression? Why would we _not_ support secure boot on arm? - ajax signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
Once upon a time, Adam Jackson a...@redhat.com said: If there are ARM machines where UEFI and Secure Boot are available, we're going to have tools to do your own trust database management anyway, so why would supporting them be any different from doing the same on x86? For Windows 8 certification on ARM, Microsoft is going to require UEFI with Secure Boot enabled _and_ no method for users to disable Secure Boot or enroll their own keys (the opposite of x86 where they require a disable method and custom key enrollment support). Right now, Win8/ARM is a market of zero, but there will be hardware coming. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, Jun 7, 2012 at 10:02 PM, Adam Jackson a...@redhat.com wrote: On Thu, 2012-06-07 at 21:12 +0200, drago01 wrote: On Thu, Jun 7, 2012 at 7:14 PM, Przemek Klosowski przemek.klosow...@nist.gov wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from That's incorrect. The plan is to support secure boot only on x86. What gives you that impression? Matthew's blog. Why would we _not_ support secure boot on arm? I think we should do that. (support in on ARM as well). -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, Jun 7, 2012 at 9:30 PM, drago01 drag...@gmail.com wrote: On Thu, Jun 7, 2012 at 10:02 PM, Adam Jackson a...@redhat.com wrote: On Thu, 2012-06-07 at 21:12 +0200, drago01 wrote: On Thu, Jun 7, 2012 at 7:14 PM, Przemek Klosowski przemek.klosow...@nist.gov wrote: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? By the spec, there must be a way to disable it on x86, but on ARM they expressly prohibit turning it off. I guess the current Fedora/RedHat stance, as explained by Matthew Garrett, is to obtain a MS certificate covering x86 and presumably ARM kernels from That's incorrect. The plan is to support secure boot only on x86. What gives you that impression? Matthew's blog. Why would we _not_ support secure boot on arm? I think we should do that. (support in on ARM as well). Well at the moment there's no even support for uEFI on ARM linux so at the moment it's putting the cart before the horse. It is being worked upon and it's certainly in the pipeline but at the moment it's not there so it's a mute point really, in the future it's possible it will be supportable but it's a long way out which ever way you look at it. Let's get decent Fedora support for the rest of the currently readily available devices and the 100s more that will come out between now and when uEFI on ARM becomes a reality. Peter -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
Przemek Klosowski writes: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? Why, all they have to do is simply pay another $99. Problem solved. So, what is the current thinking? The current consensus seems to be that something or someone, somewhere around here, has jumped the shark. Not completely clear what, or who, that something is; where exactly the jump over the shark happened; and how high over the shark the jump was; but it definitely happened and the best investigative minds are on the case, searching and gathering the details. I realize that not everyone in the audience may be familiar with this idiom, so here it is: http://en.wikipedia.org/wiki/Jumping_the_shark pgp6yGFqm1CEC.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora ARM and SecureBoot
On Thu, Jun 07, 2012 at 07:41:32PM -0400, Sam Varshavchik wrote: Przemek Klosowski writes: What is Fedora ARM planning to do about the upcoming Microsoft hardware certification spec requiring Secure Boot? Why, all they have to do is simply pay another $99. Problem solved. We wouldn't even have to do that. But, as I said, I'm not in favour of doing something that results in a platform where the user is unable to run the software they choose. -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel