Re: OpenBSD - UEFI Secure Boot
Well, are you sure UEFI disable button will turn off ALL of UEFI functions? Fow windows 8 certed hardware, aka most. http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf Which states. MANDATORY. The platform shall ship with an initial, possibly empty, forbidden signature database (EFI_IMAGE_SECURITY_DATABASE1) created with the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_ACCESS attribute. When a signature is added to the forbidden signature database, upon reboot, any image certified with that signature must not be allowed to initialize/execute. So revocation is possible and likely even through Windows update. AND a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. !! This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode. !! I haven't checked this as apparently the spec is like 2000 pages. This link says the setup mode spec makes no mention of key installation by users being possible. http://mjg59.dreamwidth.org/13713.html?replyto=521361 So you will be able to disable signed booting, if you are authorised to disable you certainly should be able to import keys. I believe microsoft see making that mandatory as being against their interests. Potential Problems I see: Price hike of signing by Microsoft. Not being able to revoke Microsoft's keys perhaps with the cover of preventing malware from doing so. No interface to add keys being mandatory and so unlikely. Some will implement as selling feature. Multi-booting (apparently but I'm skeptical, you may be able to sign a key with another) Openbios projects. Hardware manufacturers specifying their windows version. If it happened a few years back, people being stuck with VISTA and not being able to get the shop to install XP. p.s. anyone know if HDD that use so much firmware these days require that it's signed? -- Why not do something good every day and install BOINC.
Re: OpenBSD - UEFI Secure Boot
On Mon, Jul 9, 2012 at 5:03 AM, Nico Kadel-Garcia nka...@gmail.com wrote: Many of us can comfortably disable UEFI, but it's going to be problematic for our less skilled colleagues. Well, are you sure UEFI disable button will turn off ALL of UEFI functions? Also, UEFI will possibly take down a dozens of Linux/BSD-oriented hardware suppliers businesses because their customers will deny to run security critical tasks on UEFI hardware. Good support for stagnating world economy. Go look at what Fedora is doing to handle this. OpenBSD boot loaders are going to have to make some kind of accomodation with this in the next 5 years, or throw in the towel for new hardware and go directly to virtualization only. (That's admittedly how I use it these days, mostly for testing components like OpenSSH before 6.0p1 was bundled.) With that virtualization, both hardware bugs and attacks against hypervisors are real world cases. So don't be naive. Trust me, I'll try hard to avoid virtualization and Fedora@UEFI on my firewalls, no matter what they did to circumvent UEFI issues. Heck, I simply have no extra 5 years to spend on that hide-and-seek games. My customers want services, not excuses for utterly unneeded maintenance downtimes (you kindly call this accommodation). Anyway, it seems you didn't get the idea above. My assumption is, customer, which is aware of UEFI sniffing on them, will deny to buy UEFI boxes. Market niche will collapse with no demand since some (presumable smaller) suppliers will be unable to diversify fast enough. Going this way will result in hardware/software monopolies destroying entire ecosystem. Raspberry Pi (and alike) is about going another way.
Re: OpenBSD - UEFI Secure Boot
Well, are you sure UEFI disable button will turn off ALL of UEFI functions? With that virtualization, both hardware bugs and attacks against hypervisors are real world cases. So don't be naive. Trust me, I'll try hard to avoid virtualization and Fedora@UEFI on my firewalls, no matter what they did to circumvent UEFI issues. Heck, I simply have no extra 5 years to spend on that hide-and-seek games. For 15+ years I read these regular Cassandra calls that this and that innovation will kill free operating systems on commodity hardware, remember Adaptec SCSI controllers, 3D video cards, I2O, trusted computing and whatever the feature of the day is called. For some reason or another these apocalypses never materialize, increasingly due to the fact that free operating systems are a major factor in the server world, and a manufacturer trying to exclude them will lose business both in the short run and long term. There are few threats to server manufacturers worse than Ok, I'll hang on to my old hardware then until it either falls apart or until this is resolved. Rudi
Re: OpenBSD - UEFI Secure Boot
Rudolf Leitgeb wrote: For 15+ years I read these regular Cassandra calls that this and that innovation will kill free operating systems on commodity hardware, remember Adaptec SCSI controllers, 3D video cards, I2O, trusted computing and whatever the feature of the day is called. It very confusing to tell what is free in this times. OK, not so hard, OpenBSD is a standard when it comes about real free meaning, I can;t complain. But you see, what to do with Linux world, it is already full of not so free (blobs) stuff. The OSes were not killed, but the possibility to use that specific hardware, yes, it was killed. Not many people can say they are using Adaptec controllers or graphic acceleration on OpenBSD. Of course, it is not OpenBSD team fault and it is not a dead end. For some reason or another these apocalypses never materialize, increasingly due to the fact that free operating systems are a major factor in the server world, and a manufacturer trying to exclude them will lose business both in the short run and long term. There are few threats to server manufacturers worse than Ok, I'll hang on to my old hardware then until it either falls apart or until this is resolved. I'm really curious, how much a manufacturer is thinking about free operating system when a new product is designed or released. I'm not an ignorant, I just don't have access to this kind of infomation.
Re: OpenBSD - UEFI Secure Boot
Remember SOPA/ACTA? If somebody is planning to have a regulation, this somebody should take care about tools which guarantee direct, not circumstantial, evidence of somebody else broke this regulation. UEFI implements network stack so it can be a long-standing strategy. UEFI is about remote monitoring without you even knowing about it, or your corporate firewall sniffing for somebody else. You buying UEFI hardware will be a sponsor of somebody sniffing on you. What an irony. Also, UEFI will possibly take down a dozens of Linux/BSD-oriented hardware suppliers businesses because their customers will deny to run security critical tasks on UEFI hardware. Good support for stagnating world economy. IMO, it is smarter to spent on Raspberry Pi port than UEFI bullshit. And don't blame Amiga. It is UEFI free, isn't it? ;) llemikebyw wrote: Tomas (and David and E.V.R. Else-Body) Yes - I'd read the thread(s) (Gentoo too..) - but the ultimate conclusion of much of the discussion is buy different hardware. I bought Betamax (because it was the best)... until... I bought SAAB (because it was the best)... until... I bought Amiga (because it was the best)... until... I don't want to be saying... I bou.. erm.. got... OpenBSD (because it was the best)... Mike
Re: OpenBSD - UEFI Secure Boot
On Sun, Jul 8, 2012 at 6:18 AM, Alexey Suslikov alexey.susli...@gmail.com wrote: Remember SOPA/ACTA? If somebody is planning to have a regulation, this somebody should take care about tools which guarantee direct, not circumstantial, evidence of somebody else broke this regulation. UEFI implements network stack so it can be a long-standing strategy. UEFI is about remote monitoring without you even knowing about it, or your corporate firewall sniffing for somebody else. It's not the only thing it's about. The old Palladium project, now known as Trusted Computing, is designed to have secured access to each level of hardware and software. Since every step individually can be circumvented with known technologies if not part of the secure stack, they've tried very hard to embed it at every level: CPU, boot loader, kernel, applications, data, and hardware. Expect to see this whole stack pushed for secure storage media and private information, because some of the primary goals are portable storage media and backup data. By securing every stage, it's also effectively digital rights managed, and for that to work, it needs to exist at every stage rom motherboard chipsets on up. Where it's going to be problematic for OpenBSD is on Windows 8 certified hardware, which has the UEFI enabled by default. It's theoretically possible for OpenBSD's boot loaders to emulate what Red Hat has done for Fedora: buy a signature for UEFI compatible shim that will load the kernel. The problem then, will be locally compiled kernels, which all my OpenBSD managing peers create as a matter of course. Many of us can comfortably disable UEFI, but it's going to be problematic for our less skilled colleagues. You buying UEFI hardware will be a sponsor of somebody sniffing on you. What an irony. Or saving $100 on buying the latest hot box, or of graciously accepting a gift, or of doing a successful dumpster dive for laptops, desktops, and server grade hardware. Also, UEFI will possibly take down a dozens of Linux/BSD-oriented hardware suppliers businesses because their customers will deny to run security critical tasks on UEFI hardware. Good support for stagnating world economy. Go look at what Fedora is doing to handle this. OpenBSD boot loaders are going to have to make some kind of accomodation with this in the next 5 years, or throw in the towel for new hardware and go directly to virtualization only. (That's admittedly how I use it these days, mostly for testing components like OpenSSH before 6.0p1 was bundled.) IMO, it is smarter to spent on Raspberry Pi port than UEFI bullshit. Good luck with that.
OpenBSD - UEFI Secure Boot
Dear Your name should be here ;-) , I have been considering the implications for BSD and Linux and any non-MS O/S of the implementation of UEFI Secure Boot (SB). As I understand it, ARM devices wishing to receive Win8 cert are required to enable SB by default and prevent the disabling of SB. Meanwhile, x86 devices are supposed to ship with SB enabled but allow disabling... For some commentators, the x86 situation has been presented as MS leaving a back-door for other OSes such as BSD or Linux etc. i.e. Don't worry about it I think it is, in fact, that MS is seeking to temporarily provide a back-door for Win XP, Vista and Win7. As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014) MS will slowly relax the UEFI SB specification such that the ability to disable SB will gradually disappear from x86-based devices. I am surprised that there is so little discussion of this developing situation on BSD and/or Linux lists because for me, the red lights are flashing, all bells and hooters are sounding, We gotta get out of here!! We are potentially talking about the end of BSD (or Linux...) on x86 hardware. Am I overly pessimistic? Have I missed something? OR Am I Jeremiah shouting There's a flood coming! There's a f** flood coming, PEOPLE! while everybody else is roasting sausages on their barbecues? Mike
Re: OpenBSD - UEFI Secure Boot
Be realistic. Talking about it on misc won't change anything. Dear Your name should be here ;-) , I have been considering the implications for BSD and Linux and any non-MS O/S of the implementation of UEFI Secure Boot (SB). As I understand it, ARM devices wishing to receive Win8 cert are required to enable SB by default and prevent the disabling of SB. Meanwhile, x86 devices are supposed to ship with SB enabled but allow disabling... For some commentators, the x86 situation has been presented as MS leaving a back-door for other OSes such as BSD or Linux etc. i.e. Don't worry about it I think it is, in fact, that MS is seeking to temporarily provide a back-door for Win XP, Vista and Win7. As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014) MS will slowly relax the UEFI SB specification such that the ability to disable SB will gradually disappear from x86-based devices. I am surprised that there is so little discussion of this developing situation on BSD and/or Linux lists because for me, the red lights are flashing, all bells and hooters are sounding, We gotta get out of here!! We are potentially talking about the end of BSD (or Linux...) on x86 hardware. Am I overly pessimistic? Have I missed something? OR Am I Jeremiah shouting There's a flood coming! There's a f** flood coming, PEOPLE! while everybody else is roasting sausages on their barbecues? Mike
Re: OpenBSD - UEFI Secure Boot
T, A!! Oh Yes I see what you are doing... Ah-hahaha, Yes - I agree Talk is so much puff... We need to DO... Time to work on CoreBoot or our own (who else will do it?) aftermarket BIOS solutions... Mike's plan: 1) Get EPROM programmer with PLCC adaptor 2) Get surface mount torch 3) Take over the world... Mike On 07/07/12 16:05, Theo de Raadt wrote: Be realistic. Talking about it on misc won't change anything. Dear Your name should be here ;-) , I have been considering the implications for BSD and Linux and any non-MS O/S of the implementation of UEFI Secure Boot (SB). As I understand it, ARM devices wishing to receive Win8 cert are required to enable SB by default and prevent the disabling of SB. Meanwhile, x86 devices are supposed to ship with SB enabled but allow disabling... For some commentators, the x86 situation has been presented as MS leaving a back-door for other OSes such as BSD or Linux etc. i.e. Don't worry about it I think it is, in fact, that MS is seeking to temporarily provide a back-door for Win XP, Vista and Win7. As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014) MS will slowly relax the UEFI SB specification such that the ability to disable SB will gradually disappear from x86-based devices. I am surprised that there is so little discussion of this developing situation on BSD and/or Linux lists because for me, the red lights are flashing, all bells and hooters are sounding, We gotta get out of here!! We are potentially talking about the end of BSD (or Linux...) on x86 hardware. Am I overly pessimistic? Have I missed something? OR Am I Jeremiah shouting There's a flood coming! There's a f** flood coming, PEOPLE! while everybody else is roasting sausages on their barbecues? Mike
Re: OpenBSD - UEFI Secure Boot
With all the investment in non MS, mission critical / non portable apps, in the proprietry world alone, do you really think Microsoft can ever take over all of i386? Surely they can only try, and keep on trying, but it is an unwinnable arms race, and someone is going to be willing to pay for a back door each time, regardless of what lock downs occur. On Sat, Jul 07, 2012 at 03:46:50PM +0100, llemike...@aol.com wrote: Dear Your name should be here ;-) , I have been considering the implications for BSD and Linux and any non-MS O/S of the implementation of UEFI Secure Boot (SB). As I understand it, ARM devices wishing to receive Win8 cert are required to enable SB by default and prevent the disabling of SB. Meanwhile, x86 devices are supposed to ship with SB enabled but allow disabling... For some commentators, the x86 situation has been presented as MS leaving a back-door for other OSes such as BSD or Linux etc. i.e. Don't worry about it I think it is, in fact, that MS is seeking to temporarily provide a back-door for Win XP, Vista and Win7. As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014) MS will slowly relax the UEFI SB specification such that the ability to disable SB will gradually disappear from x86-based devices. I am surprised that there is so little discussion of this developing situation on BSD and/or Linux lists because for me, the red lights are flashing, all bells and hooters are sounding, We gotta get out of here!! We are potentially talking about the end of BSD (or Linux...) on x86 hardware. Am I overly pessimistic? Have I missed something? OR Am I Jeremiah shouting There's a flood coming! There's a f** flood coming, PEOPLE! while everybody else is roasting sausages on their barbecues? Mike
Re: OpenBSD - UEFI Secure Boot
On Sat, Jul 7, 2012 at 4:46 PM, llemike...@aol.com llemike...@aol.com wrote: Dear Your name should be here ;-) , I have been considering the implications for BSD and Linux and any non-MS O/S of the implementation of UEFI Secure Boot (SB). As I understand it, ARM devices wishing to receive Win8 cert are required to enable SB by default and prevent the disabling of SB. Meanwhile, x86 devices are supposed to ship with SB enabled but allow disabling... For some commentators, the x86 situation has been presented as MS leaving a back-door for other OSes such as BSD or Linux etc. i.e. Don't worry about it I think it is, in fact, that MS is seeking to temporarily provide a back-door for Win XP, Vista and Win7. As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014) MS will slowly relax the UEFI SB specification such that the ability to disable SB will gradually disappear from x86-based devices. I am surprised that there is so little discussion of this developing situation on BSD and/or Linux lists because for me, the red lights are flashing, all bells and hooters are sounding, We gotta get out of here!! You are probably not reading misc@ or other forums (not even OpenBSD specific) too much, right? http://marc.info/?l=openbsd-miscm=133857397722515w=2 - for example We are potentially talking about the end of BSD (or Linux...) on x86 hardware. No way and typical customers which are not target of OpenBSD will not care for sure. Am I overly pessimistic? Have I missed something? World is trying much worse stuff than UEFI http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html OR Am I Jeremiah shouting There's a flood coming! There's a f** flood coming, PEOPLE! while everybody else is roasting sausages on their barbecues? Mike
Re: OpenBSD - UEFI Secure Boot
On Sat, Jul 7, 2012 at 11:25 AM, Tomas Bodzar tomas.bod...@gmail.comwrote: World is trying much worse stuff than UEFI http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html What? they're going to ban porn? That's it, I'm quitting the internets.
Re: OpenBSD - UEFI Secure Boot
Tomas (and David and E.V.R. Else-Body) Yes - I'd read the thread(s) (Gentoo too..) - but the ultimate conclusion of much of the discussion is buy different hardware. I bought Betamax (because it was the best)... until... I bought SAAB (because it was the best)... until... I bought Amiga (because it was the best)... until... I don't want to be saying... I bou.. erm.. got... OpenBSD (because it was the best)... Mike On 07/07/12 18:25, Tomas Bodzar wrote: You are probably not reading misc@ or other forums (not even OpenBSD specific) too much, right? http://marc.info/?l=openbsd-miscm=133857397722515w=2 - for example
Re: OpenBSD - UEFI Secure Boot
On Sat, Jul 07, 2012 at 06:54:31PM +0100, llemike...@aol.com wrote: Tomas (and David and E.V.R. Else-Body) Yes - I'd read the thread(s) (Gentoo too..) - but the ultimate conclusion of much of the discussion is buy different hardware. I bought Betamax (because it was the best)... until... I bought SAAB (because it was the best)... until... I bought Amiga (because it was the best)... until... I don't want to be saying... I bou.. erm.. got... OpenBSD (because it was the best)... Wrong. OpenBSD does not only run on legacy archs like i386. I guess some people would like to see i386 follow the dodo^Wmac68k. -- :wq Claudio
Re: OpenBSD - UEFI Secure Boot
On Sat, Jul 07, 2012 at 06:54:31PM +0100, llemike...@aol.com wrote: I bought Betamax (because it was the best)... until... I bought SAAB (because it was the best)... until... I bought Amiga (because it was the best)... until... I don't want to be saying... I bou.. erm.. got... OpenBSD (because it was the best)... I'd be happy to sell you a freshly burned copy of OpenBSD. That way you COULD say you bought OpenBSD. $100 USD price. That buys you a $70 donation and $30 bucks for me. Everybody happy! :)
Re: OpenBSD - UEFI Secure Boot
On Sat, Jul 7, 2012 at 7:49 PM, Bob Beck b...@obtuse.com wrote: On Sat, Jul 7, 2012 at 11:25 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: World is trying much worse stuff than UEFI http://extratorrent.com/article/2263/uk+prime+minister+calls+for+online+porn+ban.html What? they're going to ban porn? That's it, I'm quitting the internets. It's not about ban, it's about asumption that everyone who has high bandwidth wants that because of porn and they want to protect children so you must sign that that you want that because of porn hehehe But was meant as one of actual stupid ideas which they try to implement like UEFI.