User: Password:
|
|
Subscribe / Log in / New account

still a few glitches in the system...

still a few glitches in the system...

Posted Nov 20, 2012 15:22 UTC (Tue) by davidescott (guest, #58580)
In reply to: still a few glitches in the system... by mjw
Parent article: Bottomley: Adventures in Microsoft UEFI Signing

I actually didn't see the point of a large part of Bottomley's post. MSFT certainly doesn't care if this is hard to do using open-source tools. We might think some of the steps are obnoxious but that doesn't mean it doesn't work or is in some way immoral.

When someone asks for help with proprietary program X its common to suggest open source implementation Y. Does that make us bad people trying to subvert the proprietary software movement, or does it just reflect the fact that we understand and have experience with the open-source version. Clearly MSFT has tested their process with a particular set of windows tools, and it evidently almost worked.

The only real mistakes in their process are
a) The initial error when the process was checked to see if it was a win32 binary
b) signing the key with a generic MSFT key that they don't want you to actually use.
Complaining about Cabinet files and Silverlight seems a bit off to me.


(Log in to post comments)

still a few glitches in the system...

Posted Nov 20, 2012 15:50 UTC (Tue) by drag (subscriber, #31333) [Link]

>MSFT certainly doesn't care if this is hard to do using open-source tools. We might think some of the steps are obnoxious but that doesn't mean it doesn't work or is in some way immoral.

Well the IP system is immoral and if Microsoft is trying to exploit it to limit competitors then that is immoral also.

But it also can be just pure incompetence and/or apathy.

still a few glitches in the system...

Posted Nov 20, 2012 16:03 UTC (Tue) by davidescott (guest, #58580) [Link]

What does IP have to do with this?

still a few glitches in the system...

Posted Nov 23, 2012 0:58 UTC (Fri) by Rudd-O (guest, #61155) [Link]

Microsoft only has the power it has over you -- the power to deny your use of your stuff -- because of Intellectual Poverty.

Intellectual Poverty -- the belief that it is okay for a monopolist to punish you for your use of your property in ways he disapproves -- is obviously immoral.

If this topic interests you, Stephan Kinsella has written Against Intellectual Property, a treatise that covers this topic at length.

Have a nice day.

still a few glitches in the system...

Posted Nov 20, 2012 18:58 UTC (Tue) by jcm (subscriber, #18262) [Link]

Indeed. Microsoft uses various file formats and packaging that we don't. If Linux distribution X were doing UEFI bootloader signing, I expect they might seek the "convenience" of wrapping things up in a deb, or an rpm, or similar container. And the similar "convenience" of using "this set of tools that everyone knows every Linux person has and always uses...". So, similarly, that they use CABs and so on isn't surprising. In fact, in the Microsoft world, that sounds pretty clean and neat as part of their process. They probably have decades worth of tools internally that can handle those.

I'm also not surprised they disallow the GPLv3. That revision of the GPL was specifically crafted to make cryptographic signing of bits difficult - the so called "anti-tivolization" provisions, and so on. I think GPLv3 is an overreach and goes too far, but that's my personal opinion. However, many corporations have also been very reluctant to even touch it (see the re-implementations of GPLv3 stuff in the embedded space as an example of where this is going over time). I expect someone in Microsoft legal blanketly put the brakes on going anywhere near it out of a fear of what might happen.

still a few glitches in the system...

Posted Nov 20, 2012 19:51 UTC (Tue) by davidescott (guest, #58580) [Link]

Its strange how MSFT Legal approached this. They require that you certify that the binary you will upload “to be signed must not be licensed under GPLv3 or similar open source licenses,” which Bottomley notes is a bit unclear, and the contract you must agree to prohibits a bunch of different licenses by name.

One could create a license, the MSFT_LEGAL_CORNER_CASE license, that is in no way "open-source" simply because it requires nothing with respect to source code, but that is anti-tivo in requiring that anyone distributing a signed copy of the binary it must distribute the private key.

It wouldn't be on any of their blacklists because its completely made-up, presumably it must be covered under some generic clause in the contract, and that neither uploading a file now downloading a binary will oblige MSFT... But why make such a fuss over the GPLv3 and disallowed licenses when you can't cover the actual item of concern with those clauses.

A much simpler solution is obvious. Don't return the binary. You upload the binary, they send you back a signature with a placeholder (all 00 or EE) for your binary, you insert the binary into the signature packet. No need for them to dirty their hands by distributing your binary.

still a few glitches in the system...

Posted Nov 20, 2012 21:35 UTC (Tue) by Wol (guest, #4433) [Link]

But why bother wrapping it up AT ALL!

That's the point - it requires MS technologies for something that shouldn't need it. It's a bit like telling Ford owners that they can only buy their petrol from pumps on a Ford garage forecourt.

Why should I have to wrap the binary up, when they're simply going to unwrap it at the other end? If it was going by Royal Mail, I can see the point of wrapping it up in paper, but on the Intar-tubes?

Cheers,
Wol

still a few glitches in the system...

Posted Nov 20, 2012 22:17 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Probably for the same reason that people use cut&pasted code snippets from random sites to generate self-signed certs.

I.e. nobody freaking understands how this certificate crap works. Microsoft has a set of tools for cryptographic operations that hasn't changed much since late 90-s and probably only a few engineers in Microsoft know how they work. Coincidentally, these tools prefer CABs for file containers.

still a few glitches in the system...

Posted Nov 20, 2012 22:39 UTC (Tue) by khim (subscriber, #9252) [Link]

I think you are overthinking things here. Microsoft uses CAB because CAB was designed for such use from the beginning.

The only question which can ever be asked is: why have not Microsoft switched to some other non-proprietary format and if you frame the question like this then the answer is self-obvious, isn't it?

still a few glitches in the system...

Posted Nov 20, 2012 22:35 UTC (Tue) by khim (subscriber, #9252) [Link]

But why bother wrapping it up AT ALL!

My mother always said: don't ask stupid question which you can answer yourself. I can not believe I see this stupidity here on LWN.

Why should I have to wrap the binary up, when they're simply going to unwrap it at the other end?

Think. That's kind of obvious.

P.S. And no, "wrapping is done to annoy Linux users" is wrong answer. Wrapping is actuslly essential to the process. Why it's done using Microsoft's tools and not, for example, PGP is obvious.

A motherly request

Posted Nov 20, 2012 22:40 UTC (Tue) by corbet (editor, #1) [Link]

Can I play your mother for just a moment and suggest that calling people stupid is not the politest way to behave? We don't need to throw in that kind of gratuitous insult, really. Please?

A motherly request

Posted Nov 20, 2012 22:50 UTC (Tue) by khim (subscriber, #9252) [Link]

Can I play your mother for just a moment and suggest that calling people stupid is not the politest way to behave? We don't need to throw in that kind of gratuitous insult, really. Please?

Sure. Just please explain where exactly I've implied that anyone here is stupid. Someone is obviously hasty, sure, but I'm pretty sure anyone (including Wol) can answer this question if they'll spend few minutes thinking - which makes the question stupid, isn't it?

A motherly request

Posted Nov 21, 2012 1:35 UTC (Wed) by davidescott (guest, #58580) [Link]

I have to say Wol's suggestion that it not be wrapped is if not stupid, intentionally obtuse. It comes from the:
We hate Microsoft. Everything they do is evil. Unencumbered by the thought process.

Wol's was given a very good example of how we do things differently from the Windows and ignored it entirely. Are we to blame CYGWIN because it ships the underlying packages via RPM.

Its always going to be wrapped. Some wrappers are just more complex than others. Whether it be CAB or ASCII armored, its wrapped. The only way it would not be wrapped if it were a (void *) pointer of a specified length, which isn't a practical way of transmitting the data to different hosts.

Microsoft chose the wrapper that made sense for them. I don't see how we can criticize them on that basis.

A motherly request

Posted Nov 21, 2012 8:46 UTC (Wed) by jcm (subscriber, #18262) [Link]

Indeed. There was a time when I thought it was just hilarious to misquote biblical verse implying Gates was some satanic figure, or just to hate on Microsoft on principle. I was a lot younger, and far more naive then. Now, I realize they're just a corporation in a business community that we are also part of, and we disagree in how one should go about implement, distribute, and market software, and so on. But we should just accept that for a moment and ask ourselves if - from their viewpoint - any of this process is odd. To me, wrapping things in a CAB and so on sounds a lot like me saying "oh, just wrap it in an RPM..." and then having someone who prefers ipkg files complaining I am doing something strange.

A motherly request

Posted Nov 21, 2012 9:38 UTC (Wed) by Wol (guest, #4433) [Link]

Well, actually, as I understood it we have a bootloader. A SINGLE file, which gets loaded and cryptographically checked. And if it's correct, it gets executed.

Seeing as we are asking for a single file to be signed, why can't we upload that file as itself, rather than an archive? It's all very well saying "MS should use an open packaging standard", but why - if it's just one file - does it need to be packaged at all?

If I'm sending stuff to my friends, it's usually single files, and I don't bother packing them.

Cheers,
Wol

A motherly request

Posted Nov 21, 2012 12:23 UTC (Wed) by khim (subscriber, #9252) [Link]

Seeing as we are asking for a single file to be signed, why can't we upload that file as itself, rather than an archive? It's all very well saying "MS should use an open packaging standard", but why - if it's just one file - does it need to be packaged at all?

Sure, if you want to create service which just signs random sequences of bytes without any verification then this approach will work just fine - but this will kind of defeat the purpose: anyone will be able to sign any kind of junk in this case thus you can just rip out the whole signature checking process: it'll be more honest, surely.

But of course Microsoft is not crazy: it's process includes two parts (actually more, but it should include at least two). You've forgotten about vital, yet extremely important part of the whole process: first we must make sure the file presented have actually come from trusted source (from someone who've gotten the certificate and signed some papers) and then we need to sign it with Microsoft's key.

Well, actually, as I understood it we have a bootloader. A SINGLE file, which gets loaded and cryptographically checked. And if it's correct, it gets executed.

That's for the second part of the process. First part (which checks the credentials) is generic - as it should be (you should not invent new cryptoprocedures unless you must). And for that part signed CAB makes perfect sense: this is format designed for just such a use, after all!

If I'm sending stuff to my friends, it's usually single files, and I don't bother packing them.

And how exactly do you prevent forgery in this case? You use PGP, S/MIME, or some other container format which add the signature, isn't it? Well, Microsoft prefers signed CAB for obvious reason.

A motherly request

Posted Nov 21, 2012 12:36 UTC (Wed) by khim (subscriber, #9252) [Link]

Wol's was given a very good example of how we do things differently from the Windows and ignored it entirely. Are we to blame CYGWIN because it ships the underlying packages via RPM.

Just a nit (since I've fought with Cygwin's distribution system half a year ago and was kind of surprised by it's baroquiness). Cygwin does not use RPM. It uses tar.bz2 files plus an external file with MD5 (yes, MD5 - in this day and age!) hashes for said files and only that one file is signed.

still a few glitches in the system...

Posted Nov 21, 2012 3:12 UTC (Wed) by Trelane (subscriber, #56877) [Link]

>When someone asks for help with proprietary program X its common to suggest open source implementation Y.

When we become the gatekeepers to 95% of all desktop and laptops, this comparison will be aot. Until then, it ignores very salient details.

still a few glitches in the system...

Posted Nov 21, 2012 9:20 UTC (Wed) by jejb (subscriber, #6654) [Link]

> I actually didn't see the point of a large part of Bottomley's post.

The point is mainly to outline for others who have to get UEFI code signed what the process is likely to be and where you can get the necessary tools from.

> Complaining about Cabinet files and Silverlight seems a bit off to me.

I don't believe I was actually complaining, merely documenting the process.

If I have a complaint, it's just the length of time this is taking.

still a few glitches in the system...

Posted Nov 21, 2012 9:21 UTC (Wed) by mjw (subscriber, #16740) [Link]

You might be more a half-full person, and I might be more a half-empty person. But I wouldn't call the (vaguely worded) legal restrictions on using licenses for binaries distributed by third parties, signing stuff with the wrong key, only supporting signing Win32 executables, "annoyances" of using an uncommon wrapper format, requiring Silverlight (plus basically Windows7) instead of a simple http upload, etc. "it evidently almost worked" :) Sure, not all steps are fatal showstoppers, but it looks to me that half of them could certainly be counted as such.

I haven't used Windows in the last decade (but I have dealt with certificates and signing, and it certainly doesn't have to be so painful), so I might be "out of touch" with how windows binary certification works. But I thought this whole process was for simple UEFI bootloaders to enable common hardware in the default setup and has basically nothing to do with Windows. Organizations that already use Windows anyway are probably not the target of this process.

still a few glitches in the system...

Posted Nov 21, 2012 12:50 UTC (Wed) by khim (subscriber, #9252) [Link]

I haven't used Windows in the last decade (but I have dealt with certificates and signing, and it certainly doesn't have to be so painful), so I might be "out of touch" with how windows binary certification works. But I thought this whole process was for simple UEFI bootloaders to enable common hardware in the default setup and has basically nothing to do with Windows. Organizations that already use Windows anyway are probably not the target of this process.

As far as Microsoft is concerned Windows is the golden standard everyone should use (preferably the latest version). They certainly don't plan to support anyone who does not use it. And if you'll stick with Microsoft's tools the process is as streamlined as they come (well, except for Silverlight at the end - but that's just a minor gimmick and not a problem if you are using Windows7 anyway).

still a few glitches in the system...

Posted Nov 22, 2012 21:51 UTC (Thu) by Jan_Zerebecki (guest, #70319) [Link]

> if you'll stick with Microsoft's tools the process is as streamlined as they come

Assuming you didn't try it yourself and had a different experience than James Bottomley this is just plain wrong. According to http://blog.hansenpartnership.com/adventures-in-microsoft... he tried the Microsoft tools.

He also says: "Additionally, although I think openssl has a rather confusing interface, the Microsoft tools make it look slick by comparison."


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds