User: Password:
Subscribe / Log in / New account

So why not get them the money?

So why not get them the money?

Posted Mar 4, 2013 15:16 UTC (Mon) by raven667 (subscriber, #5198)
In reply to: So why not get them the money? by Max.Hyre
Parent article: Loading keys from Microsoft PE binaries

I agree, I think that building a Linux vendor CA and getting it in the common default firmware is the right strategy, using the shim should be seen as a delaying action to make time. Just like win8 certification there should be a general Linux cert which covers this, with a sticker for the machines and everything if possible. Why not?

(Log in to post comments)

So why not get them the money?

Posted Mar 5, 2013 17:07 UTC (Tue) by ortalo (subscriber, #4654) [Link]

There are other people like me who think that UEFI is introduced by Microsoft to fight Windows piracy (and even possibly to fuel their forced upgrade strategy) and will very certainly never be usable as an end-user security mechanism by design. Not too speak of the fact that I have always expressed doubts about centralized certification authorities ala X.509 even before the DigiNotar fiasco (only louder now), especially given revocation... difficulties (to say the least).

The only thing that made me doubt of the inutiliy of UEFI "security" up to now and eventually consider *not* deactivating secure boot is the involvement of people like Matthew Garret (and co.)...
Personnally, I would prefer to pay *him* directly to design an alternative security BIOS for Linux rather than reuse the one from M$...

Maybe I am concluding to fast and getting old. Or maybe not...

So why not get them the money?

Posted Mar 5, 2013 17:20 UTC (Tue) by raven667 (subscriber, #5198) [Link]

> UEFI is introduced by Microsoft to fight Windows piracy

I'm not sure how that's supposed to work, uEFI isn't TPM and provides no way to validate a license key or enforce DRM, it's really only useful for preventing malware from modifying the boot process.

It would have been nice if mjg59's proposal for automatic key enrollment would have gotten some traction because that could have been the mechanism to become independent of the MS signing infrastructure. IIUC the problem here is that the key signing through MS is made to fit MS existing tooling for signing PE binaries, which is understandable, but it seems to me the solution is to build an alternate signing infrastructure that works the way we want, within the constraints of the uEFI standard. Maybe it would be even better to modify the uEFI SecureBoot standard to do more exactly what we want but it might be too late for that as the current standard is now widely shipping and can't be changed. Maybe can't be changed for 20+ years.

So why not get them the money?

Posted Mar 6, 2013 8:47 UTC (Wed) by ortalo (subscriber, #4654) [Link]

Well, I do not understand your (technical) interrogations. M$ ensures that its version of Windows is executed (or, why do we bother at all with signing a linux-oriented boot loader?). Most recent versions of MS/Win phone home one way or another and check the number of running instances in their environnement very precisely. Everything is in place to compare with the actual bill sent every year...

Linux users in this game are just the troublemakers who made apparent that M$ was grabbing control of OS instances. I am speculating yes, but I suspect this is more due to licensing reasons and monetary interest rather than security reasons and moral issues...

The actual full details may not be perfect, but that would not be the first a commercial security mechanism has design vulnerabilities... Furthermore, the objective is to increase the bill, not block the customer system.
What I am questioning is the true objective of this thing. What I am questioning too is whether bills will increase or not btw... At least, we have an occasion to demonstrate that servers running linux do not pay... anything!

So why not get them the money?

Posted Mar 6, 2013 16:42 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

"M$ ensures that its version of Windows is executed"

No, it doesn't. You're able to disable the signature checking and you're able to install your own keys. Having done that, you're then free to lie to the OS about whether or not it booted a signed binary.

So why not get them the money?

Posted Mar 6, 2013 18:42 UTC (Wed) by raven667 (subscriber, #5198) [Link]

Or maybe to put it another way, Windows itself can't "require" the signature checking because that happens at a layer below and previous to what the running OS kernel can control. There isn't a mechanism for a running system, doing licensing or validity checks, to verify that it was booted "securely", the verification is forward, not backwards.

Do I have that right, mjg59? 8-)

So why not get them the money?

Posted Mar 6, 2013 18:50 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

Yes, that's correct.

So why not get them the money?

Posted Mar 5, 2013 17:21 UTC (Tue) by mjg59 (subscriber, #23239) [Link]

Secure Boot controls what binaries your firmware will boot, not which firmware your binaries will boot on. It's exactly the wrong way round to be usable as an anti-piracy mechanism.

So why not get them the money?

Posted Mar 6, 2013 8:57 UTC (Wed) by anselm (subscriber, #2796) [Link]

Also it's not as if piracy was keeping Microsoft up at night. People have been stealing Microsoft software for nearly 40 years and the company is still doing great. Bill Gates is still #2 on the Forbes list, so there doesn't seem to be an obvious problem.

Microsoft is doing little things here and there to make life harder for pirates (think »activation«), but actually getting rid of piracy altogether isn't that high up on their agenda. If they wanted to, they could certainly stamp out piracy nearly completely but (a) this would also inconvenience legitimate users, in particular »enterprise« users, which would be counterproductive – these users might get silly ideas like looking at operating systems that make for less hassle, such as Linux –, and (b) a certain level of piracy ensures that anybody who wants Windows badly enough will be able to get it, which is way better than encouraging them to look at icky free alternatives like Linux.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds