Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Sam Varshavchik mrsam at courier-mta.com
Thu May 31 22:09:09 UTC 2012 

Joe Zeff writes:

> On 05/31/2012 01:15 PM, Javier Perez wrote:
>> If I have to pay $99 to Microsoft in order to install my Free/Open
>> Operating System...
>
> Whatever gave you that idea?  Whoever wants to get the bootloader signed  
> (either Fedora or RedHat) pays a one-time fee of $99, not the end users.

How big is the bootloader, in the bright universe of UEFI? Still 512 bytes?

Whatever it is, someone should just sacrifice those 512 bytes, or however  
much it is, in the name of progress, and sign a bootloader that simply loads  
the real bootloder from the next set of disk blocks, and goes from there.  
After the pain of going from 63 sectors to 2048, a few more sectors couldn't  
be much worse.

Unless I'm missing some crucial fact, from this brou-ha-ha; this should end  
up covering all of FOSS, not just Linux, in perpetuity, for all future  
versions and revisions of whatever bootloaders become necessary in the  
future.

But, I just have this nagging feeling that it can't be this easy. The  
presumed purpose of this is to block bootloader viruses, right?

The more I think about it, the more I'm convinced that I'm right, and you  
won't be able just to have any arbitrary bootloader signed. Because if you  
sign a proxy bootloader, what's to stop a bootloader virus from just swiping  
it, dumping it into the boot sector, and just use it to bootstrap itself?

B.S.

I'll be shocked if the Microsoft won't require, and audit any bootloader,  
that's submitted for signing, to only load an OS image that's signed by the  
another key, in the bootloader itself. Because, otherwise, signing the  
bootloader is utterly worthless.

Alternatively, you mean to tell me that $99 would've stopped whoever's  
behind Stuxnet, or Flame? Looks like those fellas were/are after a much,  
much larger payoff, and $99 would be chump-change.

So, I hate to be the bearer of bad news, but I just can't believe that it's  
as simply a matter of paying $99 once, no matter what your submitted  
bootloader does, or doesn't do.

Watch, wait, and see.

Furthermore, what about the opposite? Wouldn't, as part of this scenario,  
Microsoft require the hardware's firmware to be signed by Microsoft's key,  
in turn, and have Windows' bootloader check that? That seems to be more  
likely. I'm sure VMWare would just love that – Microsoft taking care of  
their FOSS competition, KVM, for them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120531/bb3e20e3/attachment.sig>

More information about the users mailing list