Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
Sam Varshavchik
mrsam at courier-mta.com
Thu May 31 22:09:09 UTC 2012
Joe Zeff writes:
> On 05/31/2012 01:15 PM, Javier Perez wrote:
>> If I have to pay $99 to Microsoft in order to install my Free/Open
>> Operating System...
>
> Whatever gave you that idea? Whoever wants to get the bootloader signed
> (either Fedora or RedHat) pays a one-time fee of $99, not the end users.
How big is the bootloader, in the bright universe of UEFI? Still 512 bytes?
Whatever it is, someone should just sacrifice those 512 bytes, or however
much it is, in the name of progress, and sign a bootloader that simply loads
the real bootloder from the next set of disk blocks, and goes from there.
After the pain of going from 63 sectors to 2048, a few more sectors couldn't
be much worse.
Unless I'm missing some crucial fact, from this brou-ha-ha; this should end
up covering all of FOSS, not just Linux, in perpetuity, for all future
versions and revisions of whatever bootloaders become necessary in the
future.
But, I just have this nagging feeling that it can't be this easy. The
presumed purpose of this is to block bootloader viruses, right?
The more I think about it, the more I'm convinced that I'm right, and you
won't be able just to have any arbitrary bootloader signed. Because if you
sign a proxy bootloader, what's to stop a bootloader virus from just swiping
it, dumping it into the boot sector, and just use it to bootstrap itself?
B.S.
I'll be shocked if the Microsoft won't require, and audit any bootloader,
that's submitted for signing, to only load an OS image that's signed by the
another key, in the bootloader itself. Because, otherwise, signing the
bootloader is utterly worthless.
Alternatively, you mean to tell me that $99 would've stopped whoever's
behind Stuxnet, or Flame? Looks like those fellas were/are after a much,
much larger payoff, and $99 would be chump-change.
So, I hate to be the bearer of bad news, but I just can't believe that it's
as simply a matter of paying $99 once, no matter what your submitted
bootloader does, or doesn't do.
Watch, wait, and see.
Furthermore, what about the opposite? Wouldn't, as part of this scenario,
Microsoft require the hardware's firmware to be signed by Microsoft's key,
in turn, and have Windows' bootloader check that? That seems to be more
likely. I'm sure VMWare would just love that – Microsoft taking care of
their FOSS competition, KVM, for them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120531/bb3e20e3/attachment.sig>
More information about the users
mailing list