Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Sam Varshavchik mrsam at courier-mta.com
Fri Jun 1 11:18:28 UTC 2012 

Thibault NĂ©lis writes:

>> Yes, I think that would qualify.
>
> No it isn't necessary.  You're looking at it the wrong way;  basically only  
> the things able to boot kernels and kernels themselves have to be signed and  
> trusted to ensure the integrity of the kernels.

Who gets to make a call what is "trusted", and what even "trusted" means.

Can I recompile my own kernel, sprinkle some magic dust over it, and make  
"trusted", without involving any other party?

> Technically this delegates trust just as a certificate would (implicitly  
> this is sort of like a certificate since all packages, including the shim,  
> are signed by Fedora release keys), so the ability for Microsoft to review

Again, you are assuming that Microsoft will sign off on the concept of  
signing a shim, and going forward, it's the wild-wild West.

Not going to happen.

>> And, grub can boot an arbitrary Linux kernel, right?
>>
>> So, a virus that wants to compromise a signed, secure bootload chain,
>> can't it simply install Fedora's signed grub, configured to boot a
>> bare-bones Linux kernel, nothing will prevent that, right?
>
> Fedora's signed shim bootloader will check the integrity of GRUB2. GRUB2  
> itself will check the integrity of the kernel.

And the kernel will check the signature of every module?

And you will not be able to compile your own kernels, and install them,  
right?

>> And, Fedora can load any kernel module, right? Hence, load the virus
>> code onto "bare metal", right?
>
> The kernel will check the integrity of the modules.

Thought so.

> BTW, if you're wondering about loading your own modules or building your own  
> kernel, it wouldn't make sense to ask Fedora to trust your piece of  
> software,

No, it wouldn't. Why the frak should I ask anyone for permission to run my  
own software on my own computer? Can you explain that concept to me?

>           since it would have nothing to do with Fedora and won't even be in  
> their repos.

Nobody said that it would.

>              So you have to do the logical thing, generate a personal key  
> and sign your own stuff with it.

But I can't do that. Only Fedora key's signed stuff will run.

And, if an individual can get a signed key, just for asking, for their own  
stuff, so can an upper Moldovian, in order to right the next release of  
Stuxnet, that's going to get bootstraped off Fedora.

You're living in a fantasy land.

> If the modules you want are of enough value for all Fedora users, you can  
> ask the kernel maintainers (I guess) to review them, sign them and bundle  
> them in the Fedora repositories.  This feels natural.

I don't give a frak about that. I just want to run my own stuff, without  
anyone else sticking their nose in my personal business. Is that too much to  
ask?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120601/6a6e3ab7/attachment.sig>

More information about the users mailing list