[gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Mick]

I don't know if you have seen this.  Given that we're moving into UEFI
boot what are the workarounds to compensate for Microsoft's efforts to
exclude other operating systems from available hardware?

http://www.theregister.co.uk/2011/09/26/uefi_linux_lock_out_row_latest/

-- 
Regards,
Mick

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Nilesh Govindarajan]

On Mon 26 Sep 2011 08:31:10 PM IST, Mick wrote:
> I don't know if you have seen this.  Given that we're moving into UEFI
> boot what are the workarounds to compensate for Microsoft's efforts to
> exclude other operating systems from available hardware?
>
> http://www.theregister.co.uk/2011/09/26/uefi_linux_lock_out_row_latest/
>

That feature is optional, see official word from MS: 
https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx
Microsoft has at least done something good for the Linux community :D

-- 
Nilesh Govindarajan
http://nileshgr.com

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Mark Knecht]

On Mon, Sep 26, 2011 at 8:10 AM, Nilesh Govindarajan
<contact@nileshgr.com> wrote:
> On Mon 26 Sep 2011 08:31:10 PM IST, Mick wrote:
>> I don't know if you have seen this.  Given that we're moving into UEFI
>> boot what are the workarounds to compensate for Microsoft's efforts to
>> exclude other operating systems from available hardware?
>>
>> http://www.theregister.co.uk/2011/09/26/uefi_linux_lock_out_row_latest/
>>
>
> That feature is optional, see official word from MS:
> https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx
> Microsoft has at least done something good for the Linux community :D
>
> --
> Nilesh Govindarajan
> http://nileshgr.com

It's only optional if the BIOS includes an option to disable the
feature. I don't think that option is _required_ by Microsoft so if
(insert name here) contracts with their BIOS developer to not include
that option then I believe we're potentially out of luck.

- Mark

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[James Broadhead]

On 26 September 2011 16:01, Mick <michaelkintzios@gmail.com> wrote:
> I don't know if you have seen this.  Given that we're moving into UEFI
> boot what are the workarounds to compensate for Microsoft's efforts to
> exclude other operating systems from available hardware?

My opinion is that signed boot is probably on its way (despite not
actually offering much in the way of security, as the Apple Battery
hack has shown), and so we'll enter an era where you have the option
between a fully-signed system (Windows 9 / OS XI or so) or a cracked
boot, with little in the way of switching between the two, at least
initially

I know which one I'd pick if it came down to it :)

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Nilesh Govindarajan]

On Mon 26 Sep 2011 08:51:17 PM IST, James Broadhead wrote:
> On 26 September 2011 16:01, Mick <michaelkintzios@gmail.com> wrote:
>> I don't know if you have seen this.  Given that we're moving into UEFI
>> boot what are the workarounds to compensate for Microsoft's efforts to
>> exclude other operating systems from available hardware?
>
> My opinion is that signed boot is probably on its way (despite not
> actually offering much in the way of security, as the Apple Battery
> hack has shown), and so we'll enter an era where you have the option
> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
> boot, with little in the way of switching between the two, at least
> initially
>
> I know which one I'd pick if it came down to it :)

And you really need not worry about it, some geek (Torvalds?) will 
surely find out a way.

-- 
Nilesh Govindarajan
http://nileshgr.com

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[James Broadhead]

On 26 September 2011 16:26, Nilesh Govindarajan <contact@nileshgr.com> wrote:
> And you really need not worry about it, some geek (Torvalds?) will
> surely find out a way.

Oh, I don't doubt that I'll be able to boot Linux, I just think that
we're going to enter another era where setting up a functional and
easily-switched dual boot between Linux and Windows will be difficult
again for a while.
Hopefully it won't require us to all be careful to buy specific
hardware, but who knows.

Case in point: The Windows 7's installer mangling of the MBRs on disks
that it has no business touching.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Dale]

Nilesh Govindarajan wrote:
> On Mon 26 Sep 2011 08:51:17 PM IST, James Broadhead wrote:
>> On 26 September 2011 16:01, Mick<michaelkintzios@gmail.com>  wrote:
>>> I don't know if you have seen this.  Given that we're moving into UEFI
>>> boot what are the workarounds to compensate for Microsoft's efforts to
>>> exclude other operating systems from available hardware?
>> My opinion is that signed boot is probably on its way (despite not
>> actually offering much in the way of security, as the Apple Battery
>> hack has shown), and so we'll enter an era where you have the option
>> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
>> boot, with little in the way of switching between the two, at least
>> initially
>>
>> I know which one I'd pick if it came down to it :)
> And you really need not worry about it, some geek (Torvalds?) will
> surely find out a way.
>

Well, since I don't have or use M$'s junk, I guess I am OK then?  I just 
need to make sure any mobo I buy in the future either doesn't have this 
or can be disabled?

Heck, if you didn't have to reboot windoze all the time, they wouldn't 
need this.  lol

Dale

:-)  :-)

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Michael Mol]

On Mon, Sep 26, 2011 at 11:42 AM, Dale <rdalek1967@gmail.com> wrote:
> Nilesh Govindarajan wrote:
>>
>> On Mon 26 Sep 2011 08:51:17 PM IST, James Broadhead wrote:
>>>
>>> On 26 September 2011 16:01, Mick<michaelkintzios@gmail.com>  wrote:
>>>>
>>>> I don't know if you have seen this.  Given that we're moving into UEFI
>>>> boot what are the workarounds to compensate for Microsoft's efforts to
>>>> exclude other operating systems from available hardware?
>>>
>>> My opinion is that signed boot is probably on its way (despite not
>>> actually offering much in the way of security, as the Apple Battery
>>> hack has shown), and so we'll enter an era where you have the option
>>> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
>>> boot, with little in the way of switching between the two, at least
>>> initially
>>>
>>> I know which one I'd pick if it came down to it :)
>>
>> And you really need not worry about it, some geek (Torvalds?) will
>> surely find out a way.
>>
>
> Well, since I don't have or use M$'s junk, I guess I am OK then?  I just
> need to make sure any mobo I buy in the future either doesn't have this or
> can be disabled?
>
> Heck, if you didn't have to reboot windoze all the time, they wouldn't need
> this.  lol

Most hardware will have UEFI. The trick will be making sure the
harware you buy allows the "secure boot" part of it to be turned off.
Microsoft's program requires vendors to support using secure boot, but
doesn't _require_ them to support _not_ using secure boot.

-- 
:wq

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Indi]

On Mon, 26 Sep 2011 20:56:20 +0530
Nilesh Govindarajan <contact@nileshgr.com> wrote:

> On Mon 26 Sep 2011 08:51:17 PM IST, James Broadhead wrote:
> > On 26 September 2011 16:01, Mick <michaelkintzios@gmail.com> wrote:
> >> I don't know if you have seen this.  Given that we're moving into
> >> UEFI boot what are the workarounds to compensate for Microsoft's
> >> efforts to exclude other operating systems from available hardware?
> >
> > My opinion is that signed boot is probably on its way (despite not
> > actually offering much in the way of security, as the Apple Battery
> > hack has shown), and so we'll enter an era where you have the option
> > between a fully-signed system (Windows 9 / OS XI or so) or a cracked
> > boot, with little in the way of switching between the two, at least
> > initially
> >
> > I know which one I'd pick if it came down to it :)
> 
> And you really need not worry about it, some geek (Torvalds?) will 
> surely find out a way.
> 

As this is being touted a win8 feature (with win8 set for release
sometime in 2012), I predict this will be defeated before the first
win8 machine hits the stores -- just like product keys, slic, and wga.
Also it's probably safe to predict this "secure boot" scheme will end up
being another vector for windows malware. 

-- 
caveat utilitor

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Michael Mol]

On Mon, Sep 26, 2011 at 11:54 AM, Indi <thebeelzebubtrigger@gmail.com> wrote:
> On Mon, 26 Sep 2011 20:56:20 +0530
> Nilesh Govindarajan <contact@nileshgr.com> wrote:
>
> As this is being touted a win8 feature (with win8 set for release
> sometime in 2012), I predict this will be defeated before the first
> win8 machine hits the stores -- just like product keys, slic, and wga.
> Also it's probably safe to predict this "secure boot" scheme will end up
> being another vector for windows malware.

Actually, that's the point of it; the BIOS doesn't allow programmatic
manipulation, and would refuse to load unsigned bootloaders. As long
as the system doesn't have the 'secure boot' feature disabled, the
only way for malware to get into the bootloader section will be if
it's signed with the keys in BIOS.

I don't know if this will go the way of Palladium and the TPM. Adding
it to the Windows8 certification program gives it some weight; OEMs
like being able to put those stickers on their hardware. If Microsoft
makes certification necessary for OEM bulk keys, the'll have a great
deal of leverage. On the other hand, they make push OEMs over the edge
to try Linux systems in retail again. (Yes, I realize that'll only
happen if Steam and friends become truly trivial to run on Linux)

-- 
:wq

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Dale]

Michael Mol wrote:
> On Mon, Sep 26, 2011 at 11:42 AM, Dale<rdalek1967@gmail.com>  wrote:
>> Nilesh Govindarajan wrote:
>>>
>>> Well, since I don't have or use M$'s junk, I guess I am OK then?  I just
>>> need to make sure any mobo I buy in the future either doesn't have this or
>>> can be disabled?
>>>
>>> Heck, if you didn't have to reboot windoze all the time, they wouldn't need
>>> this.  lol
> Most hardware will have UEFI. The trick will be making sure the
> harware you buy allows the "secure boot" part of it to be turned off.
> Microsoft's program requires vendors to support using secure boot, but
> doesn't _require_ them to support _not_ using secure boot.
>

So buy a mobo without it or that can disable it.  Got it.  It'll be a 
good while before I buy a new mobo tho.  I'm sure they will have a nice 
fix by then but this is something I need to remember just in case.  ;-)

Dale

:-)  :-)

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Jonas de Buhr]

>> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
>> boot, with little in the way of switching between the two, at least
>> initially
>>
>> I know which one I'd pick if it came down to it :)
>
>And you really need not worry about it, some geek (Torvalds?) will 
>surely find out a way.

yes, there will most likely be a technical way to circumvent it. the
problem is that involved companies might try (and likely succeed) to
make that illegal.
the reasoning will be this: it is assumed that you only make that
modification to run pirated copies of commercial operating systems.

that you will also need that mod to run free operating systems on it
will just not count. at least not for commercially offering the mod.
just look at decss. or playstation mod chips.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Michael Mol]

On Mon, Sep 26, 2011 at 3:29 PM, Jonas de Buhr <jonas.de.buhr@gmx.net> wrote:
>>> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
>>> boot, with little in the way of switching between the two, at least
>>> initially
>>>
>>> I know which one I'd pick if it came down to it :)
>>
>>And you really need not worry about it, some geek (Torvalds?) will
>>surely find out a way.
>
> yes, there will most likely be a technical way to circumvent it. the
> problem is that involved companies might try (and likely succeed) to
> make that illegal.
> the reasoning will be this: it is assumed that you only make that
> modification to run pirated copies of commercial operating systems.
>
> that you will also need that mod to run free operating systems on it
> will just not count. at least not for commercially offering the mod.
> just look at decss. or playstation mod chips.

I thought this is where we already are?

-- 
:wq

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1239 bytes --]

On Monday 26 Sep 2011 20:29:14 Jonas de Buhr wrote:
> >> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
> >> boot, with little in the way of switching between the two, at least
> >> initially
> >> 
> >> I know which one I'd pick if it came down to it :)
> >
> >And you really need not worry about it, some geek (Torvalds?) will
> >surely find out a way.
> 
> yes, there will most likely be a technical way to circumvent it. the
> problem is that involved companies might try (and likely succeed) to
> make that illegal.
> the reasoning will be this: it is assumed that you only make that
> modification to run pirated copies of commercial operating systems.
> 
> that you will also need that mod to run free operating systems on it
> will just not count. at least not for commercially offering the mod.
> just look at decss. or playstation mod chips.

I am assuming that unlike the old days when I used to boot Linux on PCs using 
a floppy with SmartBootManager, now we'll need to generate some key/hash for 
our freshly compiled kernel, then add it to the BIOS firmware and flash the 
BIOS with it before we are able to boot into it?

Is it more complicated than that?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Michael Mol]

On Mon, Sep 26, 2011 at 3:49 PM, Mick <michaelkintzios@gmail.com> wrote:
> On Monday 26 Sep 2011 20:29:14 Jonas de Buhr wrote:
>> >> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
>> >> boot, with little in the way of switching between the two, at least
>> >> initially
>> >>
>> >> I know which one I'd pick if it came down to it :)
>> >
>> >And you really need not worry about it, some geek (Torvalds?) will
>> >surely find out a way.
>>
>> yes, there will most likely be a technical way to circumvent it. the
>> problem is that involved companies might try (and likely succeed) to
>> make that illegal.
>> the reasoning will be this: it is assumed that you only make that
>> modification to run pirated copies of commercial operating systems.
>>
>> that you will also need that mod to run free operating systems on it
>> will just not count. at least not for commercially offering the mod.
>> just look at decss. or playstation mod chips.
>
> I am assuming that unlike the old days when I used to boot Linux on PCs using
> a floppy with SmartBootManager, now we'll need to generate some key/hash for
> our freshly compiled kernel, then add it to the BIOS firmware and flash the
> BIOS with it before we are able to boot into it?
>
> Is it more complicated than that?

Just a hunch, but I think the BIOS will probably be signed. Perhaps in
replacement of the existing checksum functionality.

I *really* wonder what this is going to do to diagnosis tools. OEMs of
Compaq/HP/Packard Bell's stature* strike me as likely to use it as a
lock-in for having machines diagnosed and fixed by certified
technicians.


* Meaning, dirt-cheap pre-built PCs and laptops.
-- 
:wq

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Jonas de Buhr]

>> yes, there will most likely be a technical way to circumvent it. the
>> problem is that involved companies might try (and likely succeed) to
>> make that illegal.
>> the reasoning will be this: it is assumed that you only make that
>> modification to run pirated copies of commercial operating systems.
>>
>> that you will also need that mod to run free operating systems on it
>> will just not count. at least not for commercially offering the mod.
>> just look at decss. or playstation mod chips.
>
>I thought this is where we already are?

yes, this weird way of thinking is already established and seems to be
widely accepted. my point is that it is going to be applied to UEFI
cracking. meaning: a technical solution for this will not help us at
all.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[James Broadhead]

On 26 September 2011 20:29, Jonas de Buhr <jonas.de.buhr@gmx.net> wrote:
>>> between a fully-signed system (Windows 9 / OS XI or so) or a cracked
>>> boot, with little in the way of switching between the two, at least
>>> initially
>>
>>And you really need not worry about it, some geek (Torvalds?) will
>>surely find out a way.
>
> yes, there will most likely be a technical way to circumvent it. the
> problem is that involved companies might try (and likely succeed) to
> make that illegal.

Unfortunately, under the DMCA, breaking any encryption /
copy-protection mechanism is illegal under US copyright law of all
things (and by extension, globally :-/ ). I listened to a pretty
interesting debate about this related to the "Right to Repair" act in
the States, which relates to the right to access car firmware /
software. The consensus seems to be that the pitifully easy-to-crack
encryption is only there so that the software becomes covered by the
DMCA. What a mess.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Jonas de Buhr]

>I am assuming that unlike the old days when I used to boot Linux on
>PCs using a floppy with SmartBootManager, now we'll need to generate
>some key/hash for our freshly compiled kernel, then add it to the BIOS
>firmware and flash the BIOS with it before we are able to boot into it?
>
>Is it more complicated than that?

how are you going to write to the bios if it doesn't let you? 

maybe you are determined enough to manually flash the chip every time
you update grub but i think thats a buzzkill for >90% of the users ;)

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Jonas de Buhr]

>On 26 September 2011 20:29, Jonas de Buhr <jonas.de.buhr@gmx.net>
>wrote:
>>>> between a fully-signed system (Windows 9 / OS XI or so) or a
>>>> cracked boot, with little in the way of switching between the two,
>>>> at least initially
>>>
>>>And you really need not worry about it, some geek (Torvalds?) will
>>>surely find out a way.
>>
>> yes, there will most likely be a technical way to circumvent it. the
>> problem is that involved companies might try (and likely succeed) to
>> make that illegal.
>
>Unfortunately, under the DMCA, breaking any encryption /
>copy-protection mechanism is illegal under US copyright law of all
>things (and by extension, globally :-/ ). I listened to a pretty
>interesting debate about this related to the "Right to Repair" act in
>the States, which relates to the right to access car firmware /
>software. The consensus seems to be that the pitifully easy-to-crack
>encryption is only there so that the software becomes covered by the
>DMCA. What a mess.
>

agreed.

still there might be different ways. replacing the whole bios
chip (or software) with something different for example. then you
technically didn't break any encryption, so no dmca. 
but i still think that would sooner or later get you in trouble if you
offer that service commercially. 

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Sebastian Beßler]

[-- Attachment #1: Type: text/plain, Size: 859 bytes --]

Am 26.09.2011 21:56, schrieb Michael Mol:

>> Is it more complicated than that?

> Just a hunch, but I think the BIOS will probably be signed. Perhaps in
> replacement of the existing checksum functionality.

I have something like that on my Motorola Milestone Android Phone.
It is not possible to change the kernel because the bootloader is signed
and only loads signed kernels. The "BIOS" of the phone is signed so that
you can't change the bootloader.
Milestone is out for about 2 years now, many smart people tried to hack
it but till now no luck and it does not look like it will be hacked ever.
I fear that something like that will come to most laptops and many ready
built desktop computers in a few years. It will likely still be possible
to buy mainboards without it, for a high prize I also fear.

Greetings

Sebastian Beßler


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1139 bytes --]

On Monday 26 Sep 2011 21:26:03 Jonas de Buhr wrote:
> >I am assuming that unlike the old days when I used to boot Linux on
> >PCs using a floppy with SmartBootManager, now we'll need to generate
> >some key/hash for our freshly compiled kernel, then add it to the BIOS
> >firmware and flash the BIOS with it before we are able to boot into it?
> >
> >Is it more complicated than that?
> 
> how are you going to write to the bios if it doesn't let you?
> 
> maybe you are determined enough to manually flash the chip every time
> you update grub but i think thats a buzzkill for >90% of the users ;)

Yes, I meant flash it of course.

Just as I started getting worried about having to roll an initramfs every 
other day in the near future, now I will also have to be reflashing my BIOS! 
Ha, ha, ha!

I used to build and blueprint my own engines (cars and motorbikes).  Then 
gradually cars became electronic appliances, locked down to the extent where 
engine modifications became difficult and expensive to implement.  I fear that 
PCs and before that laptops may be heading the same way.  :-(
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Jonas de Buhr]

>I used to build and blueprint my own engines (cars and motorbikes).
>Then gradually cars became electronic appliances, locked down to the
>extent where engine modifications became difficult and expensive to
>implement.  I fear that PCs and before that laptops may be heading the
>same way.  :-(

this has the potential to go really bad. on the other hand tpm had too.
maybe we should relax.

it's not about being complicated though. you can't blame the industry
for building more complicated engines that perform a lot better. that
doesn't need to keep you from building your own engine (although it
will probably be no competition). and i think cars are a lot more
hackable today than they ever were. 
thats not the same as putting a lock on the front lid only the
manufacturer can open.

concerning computers, the lockout (if there will be any) is purely
artifical. the complexity doesn't keep people from tinkering with it.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Albert W. Hopkins]

On Mon, 2011-09-26 at 11:15 -0500, Dale wrote:
> So buy a mobo without it or that can disable it.  Got it.  It'll be a 
> good while before I buy a new mobo tho.  I'm sure they will have a
> nice 
> fix by then but this is something I need to remember just in
> case.  ;-) 

Ok, I'll bite...

It depends on who makes your system.  For example, I've got a new
laptop, with UEFI BIOS and SATA HDD, but if you go in the UEFI settings
and change a couple of settings, you'll be able to boot into DOS.  Why?
Because, surprisingly, they still have quite a few corporate customers
that need to use DOS.  So if you can boot DOS you can boot Linux.

Some manufacturers still provide firmware and BIOS updates via DOS boot
cds.  If you can boot from a non-signed CD, you can boot Linux.  Some
manufactures still consider it a competitive advantage to offer
"fast-boot" linux-based firmware.  Likely those would be able to be
manipulated in order to to boot Linux from disk.

On the server side, I don't think there is any major server manufacturer
dumb enough to sell a system not capable of running Linux.

In short, it's probably less of a problem then than people make it out
to be.  It's akin to the old(?) days when Broadcom cards didn't work
with Linux.  The solution is always simple: don't buy a system that has
a Broadcom card.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Alan McKinnon]

On Mon, 26 Sep 2011 18:46:21 -0400
"Albert W. Hopkins" <marduk@letterboxes.org> wrote:

> On the server side, I don't think there is any major server
> manufacturer dumb enough to sell a system not capable of running
> Linux.

How very true. If a manufacturer tried that, they would lose the entire
ISP and backbone market in a flash.

Linux, BSD and Solaris rules that area. Windows doesn't even get a
look-in.

Next they'd lose the Oracle/Sybase/IQ/any-db-that-matters market where
those products do run on Windows (sort of a token gesture, useful for
POCs run by the technically clueless) but anyone with a brain does the
real work on Unix.

It usually takes just one phone call from the right person and an
entire corporate can switch from vendor X to vendor Y. It's scary to
watch.

-- 
Alan McKinnnon
alan.mckinnon@gmail.com

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Dale]

Albert W. Hopkins wrote:
> On Mon, 2011-09-26 at 11:15 -0500, Dale wrote:
>> So buy a mobo without it or that can disable it.  Got it.  It'll be a
>> good while before I buy a new mobo tho.  I'm sure they will have a
>> nice
>> fix by then but this is something I need to remember just in
>> case.  ;-)
> Ok, I'll bite...
>
> It depends on who makes your system.  For example, I've got a new
> laptop, with UEFI BIOS and SATA HDD, but if you go in the UEFI settings
> and change a couple of settings, you'll be able to boot into DOS.  Why?
> Because, surprisingly, they still have quite a few corporate customers
> that need to use DOS.  So if you can boot DOS you can boot Linux.
>
> Some manufacturers still provide firmware and BIOS updates via DOS boot
> cds.  If you can boot from a non-signed CD, you can boot Linux.  Some
> manufactures still consider it a competitive advantage to offer
> "fast-boot" linux-based firmware.  Likely those would be able to be
> manipulated in order to to boot Linux from disk.
>
> On the server side, I don't think there is any major server manufacturer
> dumb enough to sell a system not capable of running Linux.
>
> In short, it's probably less of a problem then than people make it out
> to be.  It's akin to the old(?) days when Broadcom cards didn't work
> with Linux.  The solution is always simple: don't buy a system that has
> a Broadcom card.
>

Well, I build my rigs and no laptops either.  Basically, if this does 
come to pass, I'll just buy a mobo that allows it to be turned off or 
one that doesn't have it at all.

I think the mobo should have a way to disable it hardware wise as well.  
Maybe a jumper or something.  I know I'm not a majority here but I don't 
have and never have had windows.  So, if some people are forced to 
chose, M$ could lose some more users.  There are quite a few people that 
use windows only to play games and Linux for everything else.  What's 
that ole saying about shooting yourself in the foot?  lol

Well, my current rig will last me for a few years I hope.  Maybe it will 
be dealt with by then.  Jeez, initramfs crap and this all in about a 
month.  What will happen next month?  Oh, /home has to be on / too.

Dale

:-)  :-)

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Indi]

On Mon, Sep 26, 2011 at 06:46:21PM -0400, Albert W. Hopkins wrote:
> On Mon, 2011-09-26 at 11:15 -0500, Dale wrote:
> > So buy a mobo without it or that can disable it.  Got it.  It'll be a 
> > good while before I buy a new mobo tho.  I'm sure they will have a
> > nice 
> > fix by then but this is something I need to remember just in
> > case.  ;-) 
> 
> Ok, I'll bite...
> 
> It depends on who makes your system.  For example, I've got a new
> laptop, with UEFI BIOS and SATA HDD, but if you go in the UEFI settings
> and change a couple of settings, you'll be able to boot into DOS.  Why?
> Because, surprisingly, they still have quite a few corporate customers
> that need to use DOS.  So if you can boot DOS you can boot Linux.
> 
> Some manufacturers still provide firmware and BIOS updates via DOS boot
> cds.  If you can boot from a non-signed CD, you can boot Linux.  Some
> manufactures still consider it a competitive advantage to offer
> "fast-boot" linux-based firmware.  Likely those would be able to be
> manipulated in order to to boot Linux from disk.
> 
> On the server side, I don't think there is any major server manufacturer
> dumb enough to sell a system not capable of running Linux.
> 
> In short, it's probably less of a problem then than people make it out
> to be.  It's akin to the old(?) days when Broadcom cards didn't work
> with Linux.  The solution is always simple: don't buy a system that has
> a Broadcom card.
> 

It's absolutely not a concern, beyond checking to make sure any 
"safe boot" feature can be disabled before buying. And even that 
won't be necessary once it's circumvented -- which it will be. 
Locking the bootloader only works on (some) phones because of 
their mayfly-like life expectancy combined with their consumer-
oriented purpose. And in spite of that, we have cyanogenmod and 
other successful alternative OS projects. 

All this latest scheme will do is help create signed malware.
And some people say innovation is dying... :)

-- 
caveat utilitor
♫ ❤ ♫ ❤ ♫ ❤ ♫ ❤ 

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Joost Roeleveld]

On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote:
> >I am assuming that unlike the old days when I used to boot Linux on
> >PCs using a floppy with SmartBootManager, now we'll need to generate
> >some key/hash for our freshly compiled kernel, then add it to the BIOS
> >firmware and flash the BIOS with it before we are able to boot into it?
> >
> >Is it more complicated than that?
> 
> how are you going to write to the bios if it doesn't let you?
> 
> maybe you are determined enough to manually flash the chip every time
> you update grub but i think thats a buzzkill for >90% of the users ;)

Eerhm...
If Grub is the bootloader, wouldn't we just need to have a "signed" version of 
Grub?

--
Joost

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Sebastian Beßler]

Am 26.09.2011 21:56, schrieb Michael Mol:

>> Is it more complicated than that?

> Just a hunch, but I think the BIOS will probably be signed. Perhaps in
> replacement of the existing checksum functionality.

I have something like that on my Motorola Milestone Android Phone.
It is not possible to change the kernel because the bootloader is signed
and only loads signed kernels. The "BIOS" of the phone is signed so that
you can't change the bootloader.
Milestone is out for about 2 years now, many smart people tried to hack
it but till now no luck and it does not look like it will be hacked ever.
I fear that something like that will come to most laptops and many ready
built desktop computers in a few years. It will likely still be possible
to buy mainboards without it, for a high prize I also fear.

Greetings

Sebastian Beßler

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Jonas de Buhr]

>On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote:
>> >I am assuming that unlike the old days when I used to boot Linux on
>> >PCs using a floppy with SmartBootManager, now we'll need to generate
>> >some key/hash for our freshly compiled kernel, then add it to the
>> >BIOS firmware and flash the BIOS with it before we are able to boot
>> >into it?
>> >
>> >Is it more complicated than that?
>> 
>> how are you going to write to the bios if it doesn't let you?
>> 
>> maybe you are determined enough to manually flash the chip every time
>> you update grub but i think thats a buzzkill for >90% of the users ;)
>
>Eerhm...
>If Grub is the bootloader, wouldn't we just need to have a "signed"
>version of Grub?

depends if we are talking about hashes being saved in the bios or
signatures being checked by the bios.

hashes would have to be written to the bios everytime the binary of the
bootloader changes. 

signatures would have to be renewed everytime the binary changes. this
is even worse because you will most likely need the some private key to
do that which you will not get your hands on. if anyone can create the
signature, it's pointless.
so you would have to rely on your bios vendor to sign every possible
binary of the bootloader. and then you're still locked out.

Re: [gentoo-user] [OT] Should I be worried that I won't be able to dual boot in Gentoo?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1713 bytes --]

On Tuesday 27 Sep 2011 13:11:30 Jonas de Buhr wrote:
> >On Monday, September 26, 2011 10:26:03 PM Jonas de Buhr wrote:
> >> >I am assuming that unlike the old days when I used to boot Linux on
> >> >PCs using a floppy with SmartBootManager, now we'll need to generate
> >> >some key/hash for our freshly compiled kernel, then add it to the
> >> >BIOS firmware and flash the BIOS with it before we are able to boot
> >> >into it?
> >> >
> >> >Is it more complicated than that?
> >> 
> >> how are you going to write to the bios if it doesn't let you?
> >> 
> >> maybe you are determined enough to manually flash the chip every time
> >> you update grub but i think thats a buzzkill for >90% of the users ;)
> >
> >Eerhm...
> >If Grub is the bootloader, wouldn't we just need to have a "signed"
> >version of Grub?
> 
> depends if we are talking about hashes being saved in the bios or
> signatures being checked by the bios.
> 
> hashes would have to be written to the bios everytime the binary of the
> bootloader changes.
> 
> signatures would have to be renewed everytime the binary changes. this
> is even worse because you will most likely need the some private key to
> do that which you will not get your hands on. if anyone can create the
> signature, it's pointless.
> so you would have to rely on your bios vendor to sign every possible
> binary of the bootloader. and then you're still locked out.

Unless ... you could create or set up such signature upon your first boot up 
and secure it with a new passphrase/token/what have you.  I'm thinking that it 
could become part of the first OS installation, just like you set up a 
root/user passwd.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]