LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

'You have to divulge your private key' meme

'You have to divulge your private key' meme

Posted Jul 4, 2012 17:05 UTC (Wed) by Richard_J_Neill (subscriber, #23093)
In reply to: 'You have to divulge your private key' meme by mjg59
Parent article: The FSF's advice to distributors on UEFI secure boot

>> Who gets to decide?

> Anyone with a key in KEK, so typically Microsoft and the system vendor.

Wouldn't that be monumentally anticompetitive? If (say) Ubuntu were to get a large installed base, and then somehow their private key became compromised, then for MS to revoke the key would prevent the existing (non-updated) Ubuntu installations from booting. If Ubuntu made it clear that they didn't want the revocation to occur (i.e. that they would prefer 10 million systems to keep booting, even without the negligible protection conferred by the key), isn't that grounds for a monumental lawsuit?

(Log in to post comments)

'You have to divulge your private key' meme

Posted Jul 4, 2012 17:43 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

If one OS signed with the Microsoft key is compromised then they're all compromised - you'd just use the compromised OS to attack any of the others. So if Ubuntu ship a bootloader that allows arbitrary code to be executed, it's not just 10 million Ubuntu machines that are affected. You'd have to ask a lawyer to get a good idea about whether it's anticompetitive, though.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds