From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SaoAc-0000aq-Kz for garchives@archives.gentoo.org; Sat, 02 Jun 2012 13:15:06 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9B6E4E01DC; Sat, 2 Jun 2012 13:14:50 +0000 (UTC) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id 59914E049A for ; Sat, 2 Jun 2012 13:13:05 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id D5D4C211C7 for ; Sat, 2 Jun 2012 09:13:04 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute2.internal (MEProxy); Sat, 02 Jun 2012 09:13:04 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=SwETMG2pJ9/K9rdbrxyr2a1f v0s=; b=fPqXVrbnlLkb8owH5eiSqrrHo5DyrPzIltvYrSCZpTwubX7xpJXsIQIN We0zMY1yzINnsFA9IDf1vFHpf8GeJm605PLUNXC697ReJ9P8HfVPI5IUjD6MJdbm 3Ngd2pUEDpXS9zFIEwA+wRLsUSdbCOOFDfOhMiRB4m4gjPIxc8I= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=SwET MG2pJ9/K9rdbrxyr2a1fv0s=; b=ake8uEMc0a4B78tL7fI8H5/iTakEidoSsruQ YKrqz4stWLv2KAQZCZ2Ksb0QaP2J1rCnqr0WF5TD5wn3seo7l37z0JZiteswvLlY WN1MaVdrdcI6uOOl4Mcs+bfy8Vru9/ecCydkkLISsQ13JmwHDeJyHVOIJfv+L0IR 8sI5bgc= X-Sasl-enc: KygbgjcmuSFsI8GPCIZn7DSm78GC9Jy0Q1VDWVqCDe35 1338642784 Received: from [192.168.5.18] (unknown [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPA id 4B5128E018D for ; Sat, 2 Jun 2012 09:13:04 -0400 (EDT) Message-ID: <4FCA1159.40909@binarywings.net> Date: Sat, 02 Jun 2012 15:12:57 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120505 Thunderbird/10.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers References: <1338603963.12172.1.camel@moriah> <4FC9C425.9010301@binarywings.net> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3BC7292048BEC05E289A1D75" X-Archives-Salt: 04c19deb-f3a1-43ec-b2d3-e29deef5b4a9 X-Archives-Hash: 89a93451efcb5329a4335ec38bfaa552 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3BC7292048BEC05E289A1D75 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 02.06.2012 15:00, schrieb Michael Mol: > On Sat, Jun 2, 2012 at 3:43 AM, Florian Philipp = wrote: >> Am 02.06.2012 04:26, schrieb William Kenworthy: >>> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html >>> >>> and something I had not considered with the whole idea was even boota= ble >>> cd's and usb keys for rescue will need the same privileges ... >=20 > [snip] >=20 >> Okay, enough bashing the article. Some technical question: As I >> understand it, if I want to make a live CD or a distribution, all I'd >> need to do is to use Fedora's kernel and boot loader? That's not so ba= d. >=20 > Or turn off 'secure boot' in the BIOS configuration menu. >=20 > For Windows 8 certification, a device must _default_ to 'secure boot' > being turned on. You're allowed to turn it off, you just can't have > programmatic access to turn it off; it has to be done manually. > Yes, that was my point (or part of it). The main issue is usability for the technically not so inclined. For the typical Gentoo user secure boot is not an issue is no more trouble than changing the boot order to boot from CD-ROM. For mainstream distros like Ubuntu or Fedora, it is an issue. But they can afford to spend 99$ *once* to just get a valid key. > I expect that'll be available in things like motherboards sold > directly to end-users. I expect it *won't* be available in whatever > the current iteration of Compaq/HP/Packard Hell all-in-one devices is; > manufacturers of those devices will still have keys installed to allow > debugging and maintenance tools to operate, but their signed tools > would only be available to their certified technicians. >=20 As I understand it, having the chance to deactivate it is now mandatory for Windows certification but I could be wrong. > Does anyone know what crypto hash they're using to sign these things? > I imagine it won't be too long (3-4 years, tops) before either the > signing key leaks or collision attacks are figured out. >=20 According to [1] it is SHA-256 and RSA-2048. If I understand it correctly, there are means to blacklist compromised keys. That's why Fedora cannot simply share their key but they will share their infrastructure and tools. [1] http://www.uefi.org/learning_center/UEFI_Plugfest_2011Q4_P5_Insyde.pd= f Regards, Florian Philipp --------------enig3BC7292048BEC05E289A1D75 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/KEV4ACgkQqs4uOUlOuU+PbwCeK+LN2Id8fupRiJdIEpb6Ob2M sCQAnAmh2P0CYu4vM4LN4nneyqK+iaog =HA+0 -----END PGP SIGNATURE----- --------------enig3BC7292048BEC05E289A1D75--