Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Kevin Fenzi kevin at scrye.com
Sat Jun 2 21:20:05 UTC 2012 

On Sat, 2 Jun 2012 20:49:29 +0100
Alan Cox <alan at lxorguk.ukuu.org.uk> wrote:

> > 3. Create your own keys and sign your own shim/grub2/kernel and
> > remove MS'es keys. 
> 
> And how are you going to add your own keys to the firmware ? There is
> no requirement for EFI to support this in anything I've seen so far.
> Hopefully everyone will.

From the MS win 8 requirements: 

"Mandatory. On non-ARM systems, the platform MUST implement the ability
for a physically present user to select between two Secure Boot modes
in firmware setup: "Custom" and "Standard". Custom Mode allows for more
flexibility as specified in the following:

It shall be possible for a physically present user to use the Custom
Mode firmware setup option to modify the contents of the Secure Boot
signature databases and the PK. This may be implemented by simply
providing the option to clear all Secure Boot databases (PK, KEK, db,
dbx) which will put the system into setup mode."

from EFI spec: 

"While no Platform Key is enrolled, the platform is said to be
operating in setup mode. While in setup mode, the platform
firmware shall not require authentication in order to modify the
Platform Key or the Key Enrollment Key database."

From my understanding that means you will be able to setup your own
keys. At least on any hardware with win 8 requirements. 

> Also btw I wouldn't bet on removing the Microsoft key - as it stands
> you may find that means all your add on cards stop working. All those
> with firmware have to have the firmware signed too (otherwise you'd
> just insert a 'f**k you' card with breakout firmware into the box),
> and those have to be signed with a key that can be everywhere if the
> are general purpose add in cards

Well, the Fedora kernel firmware I assume would be signed/allowed. If
you need firmware not in the main linux-firmware package, you would
probibly have to go to non secure boot mode, or make your own keys and
sign the firmware with that. 

...snip...

> Remove the MS key and the firmware won't be signed. I doubt you can
> re-sign any flash firmware. That's probably only a problem for the
> paranoid because any government approved spyware from the FBI etc is
> presumably going to use the Microsoft key by default.

See above. 

kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120602/dc86f602/attachment.sig>

More information about the users mailing list