Ummm, NO.

Story: Red Hat Clarifies Doubts Over UEFI Secure Boot Solution Total Replies: 5
Author Content
BernardSwiss

Jun 06, 2012
7:44 PM EDT
Quoting: For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.


That is precisely the issue.

Red Hat/Fedora's solution may be great for corporations and full-fledged distros, but there is significant concern that smaller players and individuals will have to pay for the privilege of installing the software of their choice -- even modified versions of "big" distros -- on their own hardware.

Not that the kind of hardware that RedHat systems generally run on will lack key-management features. I'm disappointed by the way Red Hat is apparently choosing to present this matter.
mbaehrlxer

Jun 07, 2012
12:32 AM EDT
not sure i follow you, are you saying that the claim in the quote is wrong and it is not certain that anyone will be able to register keys at no cost?

greetings, eMBee.
BernardSwiss

Jun 07, 2012
2:14 AM EDT
I could have been clearer. (And maybe the Peter Principle applies).

See here: http://mjg59.dreamwidth.org/12368.html

I don't see how this is supposed to help with something from, say, Dell, that doesn't have have key management built in to the BIOS/UEFI.

So the choices remain the same:

1) if your motherboard will let you, put in whatever key(s) you choose -- Microsoft's, Fedora's, or one you generated yourself.

2) If your motherboard doesn't have key management, use Microsoft's key

2a) by using MS's OS, or some Linux distro already signed with it like Fedora or Ubuntu (forget recompiling your kernel)

2b) or, pay ~ $100 to MS/Verizon for them to sign your code (as long as they're willing to) so that your hardware will permit your code.

3) otherwise, a secure boot chain is too good for the likes of you -- you'll have to turn Secure Boot off.

Oh yeah. If you want this code to run on Win8 certified ARM, options (1) and (3) are off the table.

The whole reason for this whole rigamarole is that option (1) should be default, common, standard practice -- but it seems extremely unlikely that we can count on that.

- - -

At least that's how I understand it

- - -

(I'm not blaming RedHat/Fedora -- it sounds like they made an honest effort to make the sensible, fair, neutral option actual, accepted, standard practice, and are merely coping with the ugly reality of monopoly abuse of power).
jacog

Jun 07, 2012
4:24 AM EDT
I'm going to assume that this UEFI bollocks will only be on OEM hardware? Is that wishful thinking? I usually just assemble my PCs from components.
gus3

Jun 07, 2012
6:45 AM EDT
Here is the comment BernardSwiss refers to.

And the EU and Neely Kroes announce their opposition in 3, 3, 3...
JaseP

Jun 07, 2012
10:41 AM EDT
@jacog

Not necessarily just on OEM equipment,... The motherboard manufacturer may elect to use UEFI secure boot in their firmware, and only supply the M$ keys, and no way to edit or disable them. It's up to them...

It may be that the only way to acquire Linux compatible hardware in the future may be to go to manufacturers who specifically list Linux compatibility. For many, that may mean acquiring hardware direct from Chinese manufacturers. But they are notorious for not supplying drivers and firmware for embedded devices, and changing chipsets from run to run of hardware without notification.

I had actually considered becoming an x86 Linux tablet vendor in the US (limited scale, as a hobby that might turn into a business), until I realized I could never get a straight answer on hardware, and when I could, only from manufacturers who charged too much to make it worth while. It turned out cheaper to buy a Dell Inspiron Duo and put Linux on it than to wholesale an x86 tablet, deal with shipping, volume issues, flash the OS to the SSDs, repackage, and deal with potential US Customs issues. That's why if you want a Linux equipped EXOpc (the class of tablet I was entertaining), It's actually cheaper to buy from M$'s online store and swap out the OS... But the Dell was cheaper, not much thicker, had gorilla glass, and could convert to a netbook.

So, bottom line... There ought to be a handful of manufactures that at least allow for turning off secure boot for a limited number of desktops and laptops. However, we may have to convince ZAreason, and System76 to produce any specialty form factor machines. And the costs will likely be prohibitive, for both them and us as end consumers.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!