Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Fri Jun 1 03:34:17 UTC 2012

Edward M writes:

> On 05/31/2012 07:18 PM, Sam Varshavchik wrote:
>
>> positive and confident that this entire kit-and-kaboodle has no choice but  
>> require a closed, hood-welded-shut OS, booted up with a signed chain, in  
>> order for it to work.
>
>      Oracle Solaris?

Yes, I think that would qualify.

I would truly like for someone who is a lot more knowledgable than me, in  
this area, to answer the following short list of simple questions for me.  
Please, I'm desperate to know the answers to the following. Someone, please  
have pity on me. I'm just feeling particularly stupid today, so someone  
needs to patiently explain this to me:

We're told that Fedora's bootloader is going to get signed – and by that,  
that must mean "grub", right?

And, grub can boot an arbitrary Linux kernel, right?

So, a virus that wants to compromise a signed, secure bootload chain, can't  
it simply install Fedora's signed grub, configured to boot a bare-bones  
Linux kernel, nothing will prevent that, right?

And, Fedora can load any kernel module, right? Hence, load the virus code  
onto "bare metal", right?

Then, can't the loaded virus code simply reboot back into the original,  
Windows bootloader, that's now infected, and simply do what the virus  
would've done originally, in the absence of a signed bootloader, right?

If so, then what the FSCK did having an option for a signed bootloader  
accomplish, here???

I don't have any answers to these questions (like I said, I'm feeling a bit  
stupid today), but I do know one thing for sure. If everything that what's  
been publicly said on this subject, so far, is true, then:

Someone around here is a bloomin' idiot of the first degree. An absolute,  
total, clueless moron. Complete, and total, brain damage. That could be  
either myself – a possibility that I am perfectly willing to admit – or  
Microsoft; or whoever's pushing this.

The other possibility, of course, is that most of what's been publicly  
stated about this subject, has either been a complete lie or a fabrication;  
or certain crucial, fundamental details about this process, have been  
omitted. It just /cannot/ work the way it's been publicly announced.

Now, let me make a prediction of what I think is /really/ going to happen.  
After thinking about this, oh, for maybe five minutes, tops, I think I have  
up with the only answer that makes any logical sense, given everything  
that's been publicly said. With apologies to Sir Arthur Conan Doyle, whose  
literary masterpiece I'm about to butcher: when you exclude all  
possibilities that are logically impossible, whatever's left, no matter how  
highly improbable or bizarre, must be true.

What I'm convinced that this is all about, is that Red Hat will simply get  
Microsoft to sign a bootloader that will boot a kernel that's signed with  
Red Hat's private key. The kernel will be configured to load only kernel  
modules that are also signed by Red Hat's private key. OEMs that supply OEM  
binary blobs, for stuff like RAID cards, etc, that are certified with RHEL,  
will get Red Hat to sign their kernel modules for them, also for a token  
certification key. That's the hood, welded shut, that's absolutely mandatory  
for a secured bootloader to have any logical purpose, whatsoever.

Based on publicly known information to me, this is the only situation that  
makes any sense. Nothing else could possibly work, in any logical fashion.

Fedora is not going to be a part of this. In order to boot Fedora, it will  
be necessary to disable the secure bootload, on the hardware.

I welcome anyone to explain what part of the above is logically false, and  
why.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120531/02cb9a87/attachment.sig>