Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Thibault NĂ©lis thib at stammed.net
Fri Jun 1 12:11:18 UTC 2012 

On 06/01/2012 01:18 PM, Sam Varshavchik wrote:
> Who gets to make a call what is "trusted", and what even "trusted" means.
>
> Can I recompile my own kernel, sprinkle some magic dust over it, and
> make "trusted", without involving any other party?

Yes, you can sign it yourself, with your own key.

> Again, you are assuming that Microsoft will sign off on the concept of
> signing a shim, and going forward, it's the wild-wild West.
>
> Not going to happen.

Well why wouldn't they?  The alternative is a boot loader for which a 
review would make sense.  Great, but now the boot loader runs a kernel 
which hasn't been reviewed by Microsoft.  Should they review the kernel 
as well?  It's impossible.

At some point, they have to trust the people developing the software, 
and not the software itself.  In essence, the shim is like a certificate 
(since it's signed by Fedora implicitly via the package management system).

>> BTW, if you're wondering about loading your own modules or building
>> your own kernel, it wouldn't make sense to ask Fedora to trust your
>> piece of software,
>
> No, it wouldn't. Why the frak should I ask anyone for permission to run
> my own software on my own computer? Can you explain that concept to me?

Well, we agree, so just sign it yourself, there's no problem here.

>> since it would have nothing to do with Fedora and won't even be in
>> their repos.
>
> Nobody said that it would.
>
>> So you have to do the logical thing, generate a personal key and sign
>> your own stuff with it.
>
> But I can't do that. Only Fedora key's signed stuff will run.

Yes you can.  You have to go up the chain.  The top is the firmware, 
where you'll put your key, then sign your own shim with it.  The actual 
boot loader will then be yours to chose, and you'll make it load your 
own kernel.  Etc.

> And, if an individual can get a signed key, just for asking, for their
> own stuff, so can an upper Moldovian, in order to right the next release
> of Stuxnet, that's going to get bootstraped off Fedora.
>
> You're living in a fantasy land.

Not quite.  They would have to ask (a) the OEMs directly, (b) trust 
brokers that the OEMs trust.

OEMs won't care about individuals, they can't possibly do, so they will 
refuse all requests.

For now, the only trust broker is Microsoft (actually, we now know that 
Verisign is somehow involved since they will receive the payments;  and 
they are arguably less biased).  Microsoft/Verisign currently ask $100 
for the signatures.  Every time an attacker's malware is detected and 
blacklisted, it would have to pay $100 to a trust broker to get a new 
signature.

Now, I agree that it isn't much for certain botmasters, but at least 
Verisign probably won't allow shady payments, and hiding the financial 
trail of an electronic transaction with the payment methods Verisign 
uses is increasingly difficult.  Also, I guess Microsoft/Verisign will 
ask for at least a little bit of information before signing, so you'd 
have to come up with a believable story every time, possibly with 
something to back it up.  This will discourage a lot of attackers, and 
will slow down the spread of malware significantly.  That's the plan 
anyway, and until now it's pretty sound.

Or, an attacker could walk you through the steps to install their key on 
your firmware.  For certain targets, I believe they'd be better off 
paying Verisign rather than their phone bill.  ;)

>> If the modules you want are of enough value for all Fedora users, you
>> can ask the kernel maintainers (I guess) to review them, sign them and
>> bundle them in the Fedora repositories. This feels natural.
>
> I don't give a frak about that. I just want to run my own stuff, without
> anyone else sticking their nose in my personal business. Is that too
> much to ask?

As I said already, just sign it yourself, which is only natural since 
you wouldn't be running Fedora software anymore, but your own little 
derivative of Fedora.

You should cool down, BTW.  That's just the slashdot effect, everyone 
suddenly likes to hate and revolution sounds cooler than ever, but it 
will pass.
-- 
t

More information about the users mailing list