User: Password:
|
|
Subscribe / Log in / New account

Implementing UEFI Secure Boot in Fedora

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 16:52 UTC (Thu) by mjg59 (subscriber, #23239)
In reply to: Implementing UEFI Secure Boot in Fedora by butlerm
Parent article: Implementing UEFI Secure Boot in Fedora

Which independent body did you have in mind?


(Log in to post comments)

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 17:00 UTC (Thu) by dgm (subscriber, #49227) [Link]

The Apache Foundation seems to be en vogue lately.

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 22:24 UTC (Thu) by ncm (subscriber, #165) [Link]

The Apache Foundation is where projects go to die.

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 23:53 UTC (Thu) by dgm (subscriber, #49227) [Link]

Do you need a better reason?

Implementing UEFI Secure Boot in Fedora

Posted Jun 1, 2012 12:06 UTC (Fri) by pjones (subscriber, #31722) [Link]

We'd be happy to see them volunteer for this.

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 17:34 UTC (Thu) by butlerm (guest, #13312) [Link]

Distributing vendor keys to every hardware manufacturer on the planet is eminently unscalable, of course. It is clearly in the general interest that the keys that every system needs to carry come from an independent signing body. A vendor like Microsoft could change its policies overnight for a variety of reasons.

The first alternative that comes to mind is a hardware manufacturers association like the PCI-SIG. The IEEE sounds like a reasonable possibility as well. Another option might be to have a centralized body carry only a list of keys that "every" device should carry, and have the actual signing be done by independent key signing authorities like Verisign. Decide on a realistic number of standard authoritative keys (a dozen perhaps) and let KSAs bid for the privilege of providing one of them.

Of course it would nice to have a trusted non-profit KSA, provided one could come up with the necessary resources to operate one. If a sufficient number of vendors agreed, they could form a non-profit KSA and dispense with the need for independent for-profit KSAs to do the job instead. Either way, some independent organization needs to be in charge of the list of keys to be installed on essentially every device.

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 21:00 UTC (Thu) by bronson (subscriber, #4806) [Link]

And how long do you expect it to remain independent?

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 22:24 UTC (Thu) by butlerm (guest, #13312) [Link]

Why wouldn't a multi-vendor non-profit organization remain independent? Independence is the only reason why most of them exist. No one trusts individual vendors to be neutral in matters like these, because there are obvious conflicts of interest.

However, as of today, there probably isn't a single independent organization that is set up to run an operation like this. So the vendors that care are likely to have to either establish a new non-profit key signing authority, persuade an existing non-profit like the Apache Foundation to take on the job (with the appropriate contributions of time and resources), or establish a private for-profit key signing model where multiple independent, for-profit KSAs (think Verisign) have the ability to validate and sign binaries on a fee for service basis.

As it stands, from a multi-vendor point of view, it is unbelievable how poorly this was thought out. It is so bad that the whole scheme could probably be shut down on anti-trust grounds alone. It is a de facto conspiracy in restraint of trade.

Implementing UEFI Secure Boot in Fedora

Posted Jun 1, 2012 0:12 UTC (Fri) by paravoid (subscriber, #32869) [Link]

What about the Linux Foundation? I'm sure you didn't me to tell you that idea, so what was the problem with that, if you are at liberty to say?

Implementing UEFI Secure Boot in Fedora

Posted Jun 1, 2012 17:52 UTC (Fri) by dashesy (guest, #74652) [Link]

Google is not independent, they sure want the ARM market for android kernel, so why not the x86 world?
This will at least minimize the conflict of interest.
They can leverage their ARM advantage to the benefit of the whole community, good karma and more market influence.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds