Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Sat Jun 2 15:35:46 UTC 2012

On 06/02/2012 04:34 AM, Sam Varshavchik wrote:
>> Well the math doesn't compute here, it's cryptographically impossible.
>> I mean you could sign a shim that won't verify the integrity of the boot
>
> There you go.

Look I can't really go on on that.  You seem to imply that this is a bad 
thing.  I simply say that it doesn't make sense to want this in the 
first place.  I don't know what to say.

>> loader, but you would gain absolutely nothing from secure boot then,
>> it makes as much as disabling it entirely.
>
> Let's rewind it back up a bit.
>
> The presumed purpose of a secure boot is to prevent bootloader-infecting
> malware.
>
> Once that out of the way, you're done with your secure boot. Proceed as
> usual.

Not really, since you established yourself that a kernel can act as a 
boot loader in a lot of ways.  Leaving the ability to infect the kernel 
or any software able to boot another OS is the same as leaving secure 
boot disabled, so simply disable it.

> Actually, it makes perfect sense. This is analogous to client
> certificate verification with TLS.
>
>> mean it's not even a real catch-22, you won't ever boot the kernel
>> before the firmware, so this is a non-issue.
>
> You need to put yourself into Microsoft's frame of mind.
>
> They're going in the direction of OEMs locking down their firmware to
> booting only Microsoft OSes. Now, the other shoe drops. In turn, some
> future Microsoft OS release will only boot on firmware that's signed by
> Microsoft's key. If it's not, the OS will refuse to boot, displaying a
> soothing message to the user that their hardware is incompatible.
>
> To make it compatible, OEMs will have to pay the same $99 fee for
> Microsoft to sign their firmware.
>
> Now you get it?

Yes, you're right, it does make sense.  That would be considered 
blackmail though, at least if these OEMs don't have the option to 
abandon Microsoft to sell their products to competitors.  Could they 
even get away with it?

Anyway, this would only affect OEMs and Windows users who want to 
install their copy of Windows on machines they assemble themselves (or 
in any way non-approved by Microsoft).  Do we really care about them?  I 
don't mean it in a bad way, but we've got enough to worry about already, 
that's an issue the FSF and the EFF might be interested in, not Fedora 
users.  (If I did mean it in a bad way, I'd say these people could 
potentially become happy new Linux users :).)

> Who said anything about selling?
>
> In the next sentence, my reference to copyright infringement was not a
> throwaway line. In order to boot a future Microsoft OS release, in a
> future version of libvirt, you will need a signed firmware image, swiped
> from an OEM who paid the Microsoft tax, order for the Microsoft OS to
> boot in your VM.
>
> VMWare will have no issues paying a fee to Microsoft, for their VM
> firmware signed, of course.

Oh, you're right, add the hypervisor developers to the previous list of 
affected people;  I admit I didn't think of the VM side of things.

Actually it would even be the responsibility of the distributors to sign 
the hypervisors in this world.  These we should certainly care about, I 
agree.

> It's just that I see this a mile away. It's as clear a day.
>
> I have no particular passion towards Microsoft. I just want them to
> leave me the hell alone, that's all.

I know what you mean.  Well, I learned a lot.
-- 
t