| |||||||||||||
Fedora, secure boot, and an insecure futureFedora, secure boot, and an insecure futurePosted Jun 6, 2012 5:25 UTC (Wed) by ajb (subscriber, #9694)Parent article: Fedora, secure boot, and an insecure future
It seems to me that we need to push for hardware vendors to install easy way of allowing non-microsoft controlled access. For example, a second key controlled by some foundation, either enabled by default, or with a simple yes/no question in the BIOS.
(Log in to post comments)
Foundation? Posted Jun 6, 2012 5:55 UTC (Wed) by smurf (subscriber, #17840) [Link]
The idea has been played with, but a foundation which does this needs a whole lot of money up.front (establish secure infrastructure, badger manufacturers, …)
Apparenty M$ doesn't even do the infrastructure part itself; that's been outsourced to Verisign. A sensible move, if you ask me, but it doesn't necessarily save money. Anyway, AFAIK no corporation has been forthcoming with the $$ necessary to do this. Unless that happens, we can talk about doing a Foundation (or using an existing one for this purpose) all day long, but won't accomplish anything.
Foundation? Posted Jun 6, 2012 10:32 UTC (Wed) by Lennie (subscriber, #49641) [Link]
"a whole lot of money up.front (establish secure infrastructure, badger manufacturers, …)"
Euh, CA Cert secure infrastructure runs just fine thank you.
"Audit ready" could possibly be solved by throwing more money at it though.
Foundation? Posted Jun 6, 2012 12:08 UTC (Wed) by smurf (subscriber, #17840) [Link]
Exactly how many browsers get shipped with the CACert root keys pre-installed?
What makes you think they'd have any success with BIOS manufacturers?
Foundation? Posted Jun 6, 2012 12:35 UTC (Wed) by Lennie (subscriber, #49641) [Link]
I'm just "saying" that infrastructure is possible to achieve.
When they get audit ready, they'll be able to get into Firefox and thus Chrome and probably Windows and Opera too.
But only if they get audit done.
Custom key management Posted Jun 6, 2012 6:12 UTC (Wed) by DavidS (subscriber, #84675) [Link]
Yes, it'd be great to have a firmware that would allow easy key mgmt, removing all existing keys and uploading a local key. Judging from the amount of customization one gets from the big-iron shops when purchasing enough, I presume it'll be possible to get a boat-load of PCs with pre-loaded keys.
Running an "independent" certification authority on the other side will make about 99$ difference to using the Microsoft key. Except for the additional cost this "Foundation" has to shoulder to keep their own key safe.
1 Windows updates on dual-boot machines would still *need* to black-list compromised linux certificates
But maybe cacert.org would be interested?
Custom key management Posted Jun 11, 2012 12:14 UTC (Mon) by nix (subscriber, #2304) [Link] removing all existing keys and uploading a local keyThat sounds like you think that uploading a local key should require removal of the existing ones. Thanks, but no thanks: being able to boot from distro-provided rescue CDs is sometimes very useful!
Fedora, secure boot, and an insecure future Posted Jun 7, 2012 11:36 UTC (Thu) by krake (subscriber, #55996) [Link]
The whole secure boot topic is an epic fail on part of the Linux Foundation.
Not only did it fail to lobby for key management being possible and easy for computer owners, it did not make sure that its key would be pre-installed along side Microsoft's and available for signing distributor's boot loaders.
|
|||||||||||||