Bottomley: Adventures in Microsoft UEFI Signing [LWN.net]

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 13:44 UTC (Wed) by krake (guest, #55996)
Parent article: Bottomley: Adventures in Microsoft UEFI Signing

IMHO the question is. "Why doesn't the Linux Foundation provide a signing service that all FOSS operating systems could then use?"

And all LF (corporate) members could of course use it as well

to post comments

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 14:15 UTC (Wed) by corbet (editor, #1) [Link] (6 responses)

This question has certainly been asked before, and the Linux Foundation has considered it, but it's not really a practical alternative. Providing this kind of service is quite difficult and very expensive; it's not something that the Linux Foundation has the resources to do.

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 14:24 UTC (Wed) by krake (guest, #55996) [Link] (5 responses)

Right, I assumed as much as that they had considered it.

But I was expecting something more along the lines of will take some time, after all the benefit of having a non-Microsoft "root" key widely available should outweight a lot of costs.

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 16:09 UTC (Wed) by mjg59 (subscriber, #23239) [Link] (1 responses)

How would you ensure that this key was widely deployed?

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 18:17 UTC (Wed) by krake (guest, #55996) [Link]

I don't think there is any such thing as ensuring that something would happen.

I assumed that the Linuxfoundation, being a interest group of several very large hardware and software vendors, would be able to help board vendors to see that continued business with its members is in fact in their best interest.

Of course those who only sell components for consumer PC white boxes and WinRT devices would not care, but that should leave plenty of them who do.

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 16:59 UTC (Wed) by jejb (subscriber, #6654) [Link] (2 responses)

In the interests of full disclosure, the Linux Foundation investigated what it would take to be a Linux CA for UEFI. The figures that came back are pretty staggering.

Firstly the current CA operators want payments in the order of millions of US Dollars to set up a CA and not charge the end user (otherwise they want to charge fairly ridiculous fees). It should also be noted that the UEFI forum tried to go this route as well (they originally planned to sponsor a neutral CA) but gave up when they found out about the kind of money required.

Secondly, the OEMs and ODMs who make the motherboard wanted anyone supplying a UEFI KEK or db entry to post a bond, also in the six to seven figure range, to indemnify them against anything going wrong with the LF Key.

Given there are quite a few OEM and ODMs, that's more cash than the current Linux Foundation core operating budget and therefore not something that could be realistically undertaken.

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 21, 2012 17:50 UTC (Wed) by krake (guest, #55996) [Link] (1 responses)

Oh boy!

Seems like the UEFI people didn't a lot of thinking as in considering consequence of their decisions.

Not that it is very surprising given that they are a industry group, but still.

It is quite telling that the Linux Foundation didn't do more publicity on this outrage.

It inevitably leads to the conclusion that all the big corporate members have legal contracts with Microsoft that protects their Linux related business in some way that make relying on Microsoft for access to phyical machines unproblematic.

Anyone else, including smaller corporate members like Red Hat, are left to the wolves.

Good to keep in mind next time some LF,IBM, Intel, etc press release claims that any of those companies is "heavly supporting" Linux.

Bottomley: Adventures in Microsoft UEFI Signing

Posted Nov 22, 2012 0:28 UTC (Thu) by vonbrand (guest, #4458) [Link]

Never, ever forget Hanlon's razor.