User: Password:
|
|
Subscribe / Log in / New account

Just a user interface issue?

Just a user interface issue?

Posted Feb 28, 2013 12:22 UTC (Thu) by k3ninho (subscriber, #50375)
In reply to: Just a user interface issue? by jreiser
Parent article: Loading keys from Microsoft PE binaries

At the moment, people are aware of the spectrum of non-technical to technical users and are choosing to solve the UEFI secure boot problem in a way that is no further bar to non-technical users dual-booting Linux.

In the past, there's been a trickle-down solution where the more-technical people build their own platform and community and it slowly becomes something that less-technical people can do. In this case, that doesn't apply: security is intended to be a blocker to access, and being on the wrong side of that divide must be enforced or it's not security.

For this problem, the Linux Foundation should be paying for a technical advisor to go round the mainboard manufacturers enrolling them in the Linux UEFI Certification Program and supplying them with a signing key which is used in addition to the MS one. The program is created to allow for corporations to build system images with their own platform keys under which they control the entire secure environment. That should be the real motivation for this, with desktop users being secondary beneficiaries. Thus is no extra burden on the non-technical user and such a setup allows UEFI Secure Boot to work as intended.

K3n.


(Log in to post comments)

Just a user interface issue?

Posted Feb 28, 2013 17:26 UTC (Thu) by raven667 (subscriber, #5198) [Link]

The problem is that the Linux Foundation doesn't have the money to be a CA and maintain all the infrastructure that entails, while RedHat does have the money but they don't want to foot the bill because they are afraid of being seen as the Microsoft of the Linux world. All the people who are complaining about MS might be complaining about RH instead which could affect sales. There is also the difficulty of getting enough OEMs to bundle additional keys in and the additional barrier if some users can't boot your install media, they are just going to walk away.

It's a kind of logical insanity, since logic seems to get one to a place where MS/Verisign is the only signing authority.

Just a user interface issue?

Posted Feb 28, 2013 21:39 UTC (Thu) by Lennie (guest, #49641) [Link]

If you ask Verisign to maintain a Verisign signed CA like Microsoft is doing I'm sure it would be expensive.

So how much money does it take to maintain a selfsigned CA ?

You don't need an organisation like Verisign to sign the CA.

Just a user interface issue?

Posted Feb 28, 2013 21:45 UTC (Thu) by dlang (subscriber, #313) [Link]

running a CA is dirt cheap (look at openca), running a good CA securely costs a bit more.

you need to have processes in place to keep the bad guys out, this probably means that it takes more work to do the signing

you need redundancy

you need to spend time figuring out if you should sign things (unless you are a commercial CA, in which case you just need to see if the credit card accepts the charge)

That being said, the cost of running the CA itself is trivial compared to the cost of getting your cert accepted and in the various places it needs to be to do any good.

Just a user interface issue?

Posted Feb 28, 2013 22:33 UTC (Thu) by Lennie (guest, #49641) [Link]

Forget I even mentioned it, I made a mistake in my thinking.

Just a user interface issue?

Posted Feb 28, 2013 22:14 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Doing it properly, including identity verification for people in arbitrary countries, with proper software and physical security for the keys? No, it's not cheap.

Just a user interface issue?

Posted Feb 28, 2013 22:59 UTC (Thu) by Lennie (guest, #49641) [Link]

If we forget for a moment that for this purpose doing a custom CA is not useful in this case... as I wasn't thinking properly.

Doing a secure custom CA needs these things, I guess ?
- processs/time/people
- physical security
- key security
- redundancy of the physical security - and key security solution

If you get yourself some cheap netbooks with a builtin TPM and install Linux on it you can then store two copies of your keys in two seperate safes possibly in different buildings. Then you have 3 things solved.

An east european TLD does this for their DNSSEC keysigning keys if I remember correctly. The zone singing keys are on a machine behind a firewall which is used to push updates to the publicly visible servers.

In DNSSEC the zone signing keys are used to sign the DNS data and key signing keys are used to sign the zone signing keys every couple of months.

Just a user interface issue?

Posted Feb 28, 2013 23:36 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Take a look at the requirements for WebTrust to get an idea of some of the basic minimums of procedures that need to be followed, documented and audited.

http://www.webtrust.org/homepage-documents/item27839.aspx

Just a user interface issue?

Posted Feb 28, 2013 23:45 UTC (Thu) by Lennie (guest, #49641) [Link]

Depends what you use it for of course, but if you want to get into browers or a sub-CA then yes, WebTrust is where you can go.

I know if that is what you want, you need a lot of stuff done because I've been following what CAcert is doing.

So why not get them the money?

Posted Mar 4, 2013 11:51 UTC (Mon) by Max.Hyre (guest, #1054) [Link]

The problem is that the Linux Foundation doesn't have the money to be a CA [....]
Sounds like a perfect case for a Kickstarter project. I'd certainly pay a significant (to me) amount of cash to get a native Linux UEFI key built into most machines. I suspect I'm not alone.

So why not get them the money?

Posted Mar 4, 2013 15:16 UTC (Mon) by raven667 (subscriber, #5198) [Link]

I agree, I think that building a Linux vendor CA and getting it in the common default firmware is the right strategy, using the shim should be seen as a delaying action to make time. Just like win8 certification there should be a general Linux cert which covers this, with a sticker for the machines and everything if possible. Why not?

So why not get them the money?

Posted Mar 5, 2013 17:07 UTC (Tue) by ortalo (subscriber, #4654) [Link]

There are other people like me who think that UEFI is introduced by Microsoft to fight Windows piracy (and even possibly to fuel their forced upgrade strategy) and will very certainly never be usable as an end-user security mechanism by design. Not too speak of the fact that I have always expressed doubts about centralized certification authorities ala X.509 even before the DigiNotar fiasco (only louder now), especially given revocation... difficulties (to say the least).

The only thing that made me doubt of the inutiliy of UEFI "security" up to now and eventually consider *not* deactivating secure boot is the involvement of people like Matthew Garret (and co.)...
Personnally, I would prefer to pay *him* directly to design an alternative security BIOS for Linux rather than reuse the one from M$...

Maybe I am concluding to fast and getting old. Or maybe not...

So why not get them the money?

Posted Mar 5, 2013 17:20 UTC (Tue) by raven667 (subscriber, #5198) [Link]

> UEFI is introduced by Microsoft to fight Windows piracy

I'm not sure how that's supposed to work, uEFI isn't TPM and provides no way to validate a license key or enforce DRM, it's really only useful for preventing malware from modifying the boot process.

It would have been nice if mjg59's proposal for automatic key enrollment would have gotten some traction because that could have been the mechanism to become independent of the MS signing infrastructure. IIUC the problem here is that the key signing through MS is made to fit MS existing tooling for signing PE binaries, which is understandable, but it seems to me the solution is to build an alternate signing infrastructure that works the way we want, within the constraints of the uEFI standard. Maybe it would be even better to modify the uEFI SecureBoot standard to do more exactly what we want but it might be too late for that as the current standard is now widely shipping and can't be changed. Maybe can't be changed for 20+ years.

So why not get them the money?

Posted Mar 6, 2013 8:47 UTC (Wed) by ortalo (subscriber, #4654) [Link]

Well, I do not understand your (technical) interrogations. M$ ensures that its version of Windows is executed (or, why do we bother at all with signing a linux-oriented boot loader?). Most recent versions of MS/Win phone home one way or another and check the number of running instances in their environnement very precisely. Everything is in place to compare with the actual bill sent every year...

Linux users in this game are just the troublemakers who made apparent that M$ was grabbing control of OS instances. I am speculating yes, but I suspect this is more due to licensing reasons and monetary interest rather than security reasons and moral issues...

The actual full details may not be perfect, but that would not be the first a commercial security mechanism has design vulnerabilities... Furthermore, the objective is to increase the bill, not block the customer system.
What I am questioning is the true objective of this thing. What I am questioning too is whether bills will increase or not btw... At least, we have an occasion to demonstrate that servers running linux do not pay... anything!

So why not get them the money?

Posted Mar 6, 2013 16:42 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

"M$ ensures that its version of Windows is executed"

No, it doesn't. You're able to disable the signature checking and you're able to install your own keys. Having done that, you're then free to lie to the OS about whether or not it booted a signed binary.

So why not get them the money?

Posted Mar 6, 2013 18:42 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Or maybe to put it another way, Windows itself can't "require" the signature checking because that happens at a layer below and previous to what the running OS kernel can control. There isn't a mechanism for a running system, doing licensing or validity checks, to verify that it was booted "securely", the verification is forward, not backwards.

Do I have that right, mjg59? 8-)

So why not get them the money?

Posted Mar 6, 2013 18:50 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

Yes, that's correct.

So why not get them the money?

Posted Mar 5, 2013 17:21 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

Secure Boot controls what binaries your firmware will boot, not which firmware your binaries will boot on. It's exactly the wrong way round to be usable as an anti-piracy mechanism.

So why not get them the money?

Posted Mar 6, 2013 8:57 UTC (Wed) by anselm (subscriber, #2796) [Link]

Also it's not as if piracy was keeping Microsoft up at night. People have been stealing Microsoft software for nearly 40 years and the company is still doing great. Bill Gates is still #2 on the Forbes list, so there doesn't seem to be an obvious problem.

Microsoft is doing little things here and there to make life harder for pirates (think »activation«), but actually getting rid of piracy altogether isn't that high up on their agenda. If they wanted to, they could certainly stamp out piracy nearly completely but (a) this would also inconvenience legitimate users, in particular »enterprise« users, which would be counterproductive – these users might get silly ideas like looking at operating systems that make for less hassle, such as Linux –, and (b) a certain level of piracy ensures that anybody who wants Windows badly enough will be able to get it, which is way better than encouraging them to look at icky free alternatives like Linux.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds