public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
@ 2012-06-02  2:26 William Kenworthy
  2012-06-02  7:43 ` Florian Philipp
  2012-06-04 23:30 ` [gentoo-user] " Nikos Chantziaras
  0 siblings, 2 replies; 33+ messages in thread
From: William Kenworthy @ 2012-06-02  2:26 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html

and something I had not considered with the whole idea was even bootable
cd's and usb keys for rescue will need the same privileges ...

BillK






^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02  2:26 [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers William Kenworthy
@ 2012-06-02  7:43 ` Florian Philipp
  2012-06-02  8:13   ` pk
  2012-06-02 13:00   ` Michael Mol
  2012-06-04 23:30 ` [gentoo-user] " Nikos Chantziaras
  1 sibling, 2 replies; 33+ messages in thread
From: Florian Philipp @ 2012-06-02  7:43 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]

Am 02.06.2012 04:26, schrieb William Kenworthy:
> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html
> 
> and something I had not considered with the whole idea was even bootable
> cd's and usb keys for rescue will need the same privileges ...
> 
> BillK
> 
> 
> 
> 

I find this article lacking in substance. You get a much more reasonable
view reading the original blog post by Matthew Garrett [1].

A few points:
> "meaning that unless Microsoft has blessed your favorite flavor of
> GNU/Linux or BSD, you won't be able to just install it on your
> machine, or boot to it from a USB stick or CD to try it out."

You don't have to be "blessed". You could call your distribution
BallmerSucks and still get a certificate. You just have to register,
authenticate and pay the fee. Anything else would earn them an antitrust
law suite they wouldn't forget.

> "There is a work-around for some systems involving a finicky and
> highly technical override process, but all that means is that
> installing proprietary software is easy and installing free/open
> software is hard."

They mean "finicky" as in "go to the BIOS and switch it off" and "some
systems" as in "all x86 hardware but not ARM"? Yeah, the situation is
not nice but it is not as bad as it could be. Microsoft requires that it
can be switched off for x86. It forbids it for ARM, though. The article
gets that bit right.

Regarding the 99$ "ransom": It is a one-off payment. The article should
have made that clear.

Okay, enough bashing the article. Some technical question: As I
understand it, if I want to make a live CD or a distribution, all I'd
need to do is to use Fedora's kernel and boot loader? That's not so bad.

[1] http://mjg59.dreamwidth.org/12368.html

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02  7:43 ` Florian Philipp
@ 2012-06-02  8:13   ` pk
  2012-06-02 13:00   ` Michael Mol
  1 sibling, 0 replies; 33+ messages in thread
From: pk @ 2012-06-02  8:13 UTC (permalink / raw
  To: gentoo-user

On 2012-06-02 09:43, Florian Philipp wrote:

> You don't have to be "blessed". You could call your distribution 
> BallmerSucks and still get a certificate. You just have to 
> register, authenticate and pay the fee. Anything else would earn 
> them an antitrust law suite they wouldn't forget.

... or one could simply replace the bios/UEFI with coreboot[1] and get
on with life... albeit, (at least currently) it will severely limit
your choice of motherboards (AMD is supporting coreboot, which is why
I've chosen AMD ones but it also requires the support of the
motherboard makers).

[1]: www.coreboot.org

Best regards

Peter K



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02  7:43 ` Florian Philipp
  2012-06-02  8:13   ` pk
@ 2012-06-02 13:00   ` Michael Mol
  2012-06-02 13:12     ` Florian Philipp
  1 sibling, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-02 13:00 UTC (permalink / raw
  To: gentoo-user

On Sat, Jun 2, 2012 at 3:43 AM, Florian Philipp <lists@binarywings.net> wrote:
> Am 02.06.2012 04:26, schrieb William Kenworthy:
>> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html
>>
>> and something I had not considered with the whole idea was even bootable
>> cd's and usb keys for rescue will need the same privileges ...

[snip]

> Okay, enough bashing the article. Some technical question: As I
> understand it, if I want to make a live CD or a distribution, all I'd
> need to do is to use Fedora's kernel and boot loader? That's not so bad.

Or turn off 'secure boot' in the BIOS configuration menu.

For Windows 8 certification, a device must _default_ to 'secure boot'
being turned on. You're allowed to turn it off, you just can't have
programmatic access to turn it off; it has to be done manually.

I expect that'll be available in things like motherboards sold
directly to end-users. I expect it *won't* be available in whatever
the current iteration of Compaq/HP/Packard Hell all-in-one devices is;
manufacturers of those devices will still have keys installed to allow
debugging and maintenance tools to operate, but their signed tools
would only be available to their certified technicians.

Does anyone know what crypto hash they're using to sign these things?
I imagine it won't be too long (3-4 years, tops) before either the
signing key leaks or collision attacks are figured out.

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 13:00   ` Michael Mol
@ 2012-06-02 13:12     ` Florian Philipp
  2012-06-02 19:51       ` pk
  0 siblings, 1 reply; 33+ messages in thread
From: Florian Philipp @ 2012-06-02 13:12 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2373 bytes --]

Am 02.06.2012 15:00, schrieb Michael Mol:
> On Sat, Jun 2, 2012 at 3:43 AM, Florian Philipp <lists@binarywings.net> wrote:
>> Am 02.06.2012 04:26, schrieb William Kenworthy:
>>> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html
>>>
>>> and something I had not considered with the whole idea was even bootable
>>> cd's and usb keys for rescue will need the same privileges ...
> 
> [snip]
> 
>> Okay, enough bashing the article. Some technical question: As I
>> understand it, if I want to make a live CD or a distribution, all I'd
>> need to do is to use Fedora's kernel and boot loader? That's not so bad.
> 
> Or turn off 'secure boot' in the BIOS configuration menu.
> 
> For Windows 8 certification, a device must _default_ to 'secure boot'
> being turned on. You're allowed to turn it off, you just can't have
> programmatic access to turn it off; it has to be done manually.
>

Yes, that was my point (or part of it). The main issue is usability for
the technically not so inclined. For the typical Gentoo user secure boot
is not an issue is no more trouble than changing the boot order to boot
from CD-ROM. For mainstream distros like Ubuntu or Fedora, it is an
issue. But they can afford to spend 99$ *once* to just get a valid key.

> I expect that'll be available in things like motherboards sold
> directly to end-users. I expect it *won't* be available in whatever
> the current iteration of Compaq/HP/Packard Hell all-in-one devices is;
> manufacturers of those devices will still have keys installed to allow
> debugging and maintenance tools to operate, but their signed tools
> would only be available to their certified technicians.
> 

As I understand it, having the chance to deactivate it is now mandatory
for Windows certification but I could be wrong.

> Does anyone know what crypto hash they're using to sign these things?
> I imagine it won't be too long (3-4 years, tops) before either the
> signing key leaks or collision attacks are figured out.
> 

According to [1] it is SHA-256 and RSA-2048. If I understand it
correctly, there are means to blacklist compromised keys. That's why
Fedora cannot simply share their key but they will share their
infrastructure and tools.

[1] http://www.uefi.org/learning_center/UEFI_Plugfest_2011Q4_P5_Insyde.pdf

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 13:12     ` Florian Philipp
@ 2012-06-02 19:51       ` pk
  2012-06-02 20:10         ` Michael Mol
  0 siblings, 1 reply; 33+ messages in thread
From: pk @ 2012-06-02 19:51 UTC (permalink / raw
  To: gentoo-user

On 2012-06-02 15:12, Florian Philipp wrote:

> According to [1] it is SHA-256 and RSA-2048. If I understand it 
> correctly, there are means to blacklist compromised keys. That's
> why

Just curious, how is a "compromised" key supposed to be blacklisted?
Does the bios contact Microsoft, or is it through some other mean (via
OS which means it needs to have some sort of service to check for this
blacklist)? Smells like trouble to me... :-/

Best regards

Peter K



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 19:51       ` pk
@ 2012-06-02 20:10         ` Michael Mol
  2012-06-02 22:50           ` pk
  0 siblings, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-02 20:10 UTC (permalink / raw
  To: gentoo-user

On Sat, Jun 2, 2012 at 3:51 PM, pk <peterk2@coolmail.se> wrote:
> On 2012-06-02 15:12, Florian Philipp wrote:
>
>> According to [1] it is SHA-256 and RSA-2048. If I understand it
>> correctly, there are means to blacklist compromised keys. That's
>> why
>
> Just curious, how is a "compromised" key supposed to be blacklisted?
> Does the bios contact Microsoft, or is it through some other mean (via
> OS which means it needs to have some sort of service to check for this
> blacklist)? Smells like trouble to me... :-/

I expect the chief mechanism is at the manufacturer's end; blacklisted
keys get included on shipment.

It's also probable that the OS kernel can tell the UEFI BIOS about new
keys to blacklist. I expect that'll be a recurring thing in the
Monthly batch of security updates Microsoft puts out. (Makes sense,
really; if malware is using a key, blacklist that key.)

Someone linked to some absolutely terrible stuff being built into
Intel's Ivy Bridge...it's plausible it will be possible to deploy
blacklist key updates over the network within a couple years.


-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 20:10         ` Michael Mol
@ 2012-06-02 22:50           ` pk
  2012-06-02 23:36             ` Michael Mol
  2012-06-04 12:48             ` Mick
  0 siblings, 2 replies; 33+ messages in thread
From: pk @ 2012-06-02 22:50 UTC (permalink / raw
  To: gentoo-user

On 2012-06-02 22:10, Michael Mol wrote:

> I expect the chief mechanism is at the manufacturer's end; blacklisted
> keys get included on shipment.

Makes sense.

> It's also probable that the OS kernel can tell the UEFI BIOS about new
> keys to blacklist. I expect that'll be a recurring thing in the
> Monthly batch of security updates Microsoft puts out. (Makes sense,
> really; if malware is using a key, blacklist that key.)

Yes, would expect something like this. Secure boot supposedly prevents
"unauthorized firmware, operating systems or UEFI drivers" at boot time.
So if I interpret this correctly it would mean that if I have, say, an
old graphics card with an old firmware (vga bios) I can't use it with
"secure boot". More interestingly, how is an "operating system" defined?
Does it mean only the kernel itself or does it mean a full-blown OS with
init and other supporting software? What does that mean to a source
based "distro"? Also, I would assume a legitimate key would be able to
sign pretty much any binary so a key that Fedora uses could be used to
sign malware for Windows, which then would be blacklisted by
Microsoft... and how is malware defined? Anything that would be
detrimental to Microsoft?

> Someone linked to some absolutely terrible stuff being built into
> Intel's Ivy Bridge...it's plausible it will be possible to deploy

You mean:
https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control

?

> blacklist key updates over the network within a couple years.

Well, UEFI already implements remote management:
http://www.uefi.org/news/UEFI_Overview.pdf (page 13)
... so implementing an automatic update over the network, preferably via
SMM/SMI so that the operating system cannot intervene would be possible
already today... and you've lost control of your computer.

I'm putting on my tinfoil hat now and I'm going to pretend it's
raining... :-/

Best regards

Peter K



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 22:50           ` pk
@ 2012-06-02 23:36             ` Michael Mol
  2012-06-03  0:35               ` Florian Philipp
  2012-06-03  6:57               ` Walter Dnes
  2012-06-04 12:48             ` Mick
  1 sibling, 2 replies; 33+ messages in thread
From: Michael Mol @ 2012-06-02 23:36 UTC (permalink / raw
  To: gentoo-user

On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@coolmail.se> wrote:
> On 2012-06-02 22:10, Michael Mol wrote:

[snip]

>> It's also probable that the OS kernel can tell the UEFI BIOS about new
>> keys to blacklist. I expect that'll be a recurring thing in the
>> Monthly batch of security updates Microsoft puts out. (Makes sense,
>> really; if malware is using a key, blacklist that key.)
>
> Yes, would expect something like this. Secure boot supposedly prevents
> "unauthorized firmware, operating systems or UEFI drivers" at boot time.
> So if I interpret this correctly it would mean that if I have, say, an
> old graphics card with an old firmware (vga bios) I can't use it with
> "secure boot".

It's probable that a system using an IOMMU and virtualization tech
could emulate the real-mode requirements needed to execute that VGA
BIOS safely.

Gets more interesting...my understanding of things like Firewire is
that it's almost trivially easy to crack a system on the bus, because
of the way DMA is implemented.

> More interestingly, how is an "operating system" defined?
> Does it mean only the kernel itself or does it mean a full-blown OS with
> init and other supporting software?

The BIOS will only load a signed bootloader. The signed bootloader
will only load a signed kernel. The signed kernel will...do whatever
you tell it to do.

> What does that mean to a source based "distro"?

It's going to make building and installing grub and the kernel
trickier; you'll have to get them signed. And that's going to be a
PITA for anyone who does developers.

What it *really* means is that someone who wants to run Linux as a
hobbyist or developer is going to disable "SecureBoot", and then fall
back to business as usual.

> Also, I would assume a legitimate key would be able to
> sign pretty much any binary so a key that Fedora uses could be used to
> sign malware for Windows, which then would be blacklisted by
> Microsoft...

If Fedora allows their key to sign crap, then their key will get revoked.

What I hope (I don't know) is whether or not the signing system
involved allows chaining.  i.e., with SSL, I can generate my own key,
get it signed by a CA, and then bundle the CA's public key and my
public key when I go on to sign _another_ key.

So, could I generate a key, have Fedora sign it, and then use my key
to sign my binaries? If my key is used to do malicious things,
Fedora's off the hook, and it's only my key which gets revoked.

> and how is malware defined? Anything that would be
> detrimental to Microsoft?

Dunno. I imagine it comes down to whatever the chief key's owner
doesn't want running on the same hardware while SecureBoot is enabled.
Rootkits come to mind.

>
>> Someone linked to some absolutely terrible stuff being built into
>> Intel's Ivy Bridge...it's plausible it will be possible to deploy
>
> You mean:
> https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-control
>
> ?

The vPro stuff relates, yeah.

>
>> blacklist key updates over the network within a couple years.
>
> Well, UEFI already implements remote management:
> http://www.uefi.org/news/UEFI_Overview.pdf (page 13)
> ... so implementing an automatic update over the network, preferably via
> SMM/SMI so that the operating system cannot intervene would be possible
> already today... and you've lost control of your computer.

You still own your network, so you have at least some control over it.
These features are intended to be managed by the system network
administrator.

This is going to be a matter of caveat emptor. Don't buy a Tivo or
Kindle and expect to be able to repurpose it. (And don't buy hardware
from Oracle, I expect. Though I suspect you may eventually not get a
choice is you want to run their software.)

If you don't know whether or not you can expect to reformat a device
before you buy it, then you haven't been paying attention to mobile
tech over the last five years, and you didn't do your homework.
Apologies for the lack of sympathy. :(

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 23:36             ` Michael Mol
@ 2012-06-03  0:35               ` Florian Philipp
  2012-06-03  1:39                 ` Michael Mol
  2012-06-03  6:57               ` Walter Dnes
  1 sibling, 1 reply; 33+ messages in thread
From: Florian Philipp @ 2012-06-03  0:35 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 3449 bytes --]

Am 03.06.2012 01:36, schrieb Michael Mol:
> On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@coolmail.se> wrote:
>> On 2012-06-02 22:10, Michael Mol wrote:
> 
> [snip]
> 
[...]
> 
> The BIOS will only load a signed bootloader. The signed bootloader
> will only load a signed kernel. The signed kernel will...do whatever
> you tell it to do.
> 

According to Matthew's blog post, Fedora patched Grub2 and the kernel to
avoid loading custom code into them:
- Deactivate grub2 plugins
- Sign all kernel modules and disallow unsigned ones
- Prevent access to PCI through userland
- Sanitize the kernel command line

>> What does that mean to a source based "distro"?
> 
> It's going to make building and installing grub and the kernel
> trickier; you'll have to get them signed. And that's going to be a
> PITA for anyone who does developers.
> 
> What it *really* means is that someone who wants to run Linux as a
> hobbyist or developer is going to disable "SecureBoot", and then fall
> back to business as usual.
> 

Yeah, the only way for Gentoo to have secure boot is a) let each user
register with Microsoft, b) provide a binary kernel and boot loader.

>> Also, I would assume a legitimate key would be able to
>> sign pretty much any binary so a key that Fedora uses could be used to
>> sign malware for Windows, which then would be blacklisted by
>> Microsoft...
> 
> If Fedora allows their key to sign crap, then their key will get revoked.
> 
> What I hope (I don't know) is whether or not the signing system
> involved allows chaining.  i.e., with SSL, I can generate my own key,
> get it signed by a CA, and then bundle the CA's public key and my
> public key when I go on to sign _another_ key.
> 
> So, could I generate a key, have Fedora sign it, and then use my key
> to sign my binaries? If my key is used to do malicious things,
> Fedora's off the hook, and it's only my key which gets revoked.
> 

Consider the exact approach Fedora takes: They've only made a certified
stage-1 boot loader. This boot loader then loads grub2 (signed with a
custom Fedora key, nothing chained back to MS) which then loads a
custom-signed kernel. This allows them to avoid authenticating against
MS every time they update grub or the kernel.

This means if you want to certify with Fedora, you don't need to chain
up to MS as long as you use their stage-1 boot loader. However, if I was
part of Fedora, I wouldn't risk my key by signing other people's stuff.
Mainboard makers won't look twice when they see rootkits with Fedora
boot loaders.

>> and how is malware defined? Anything that would be
>> detrimental to Microsoft?
> 
> Dunno. I imagine it comes down to whatever the chief key's owner
> doesn't want running on the same hardware while SecureBoot is enabled.
> Rootkits come to mind.
> 

To quote Matthew:
> If I take a signed Linux bootloader and then use it to boot something
> that looks like an unsigned Linux kernel, I've instead potentially
> just booted a piece of malware. And if that malware can attack
> Windows then the signed Linux bootloader is no longer just a signed
> Linux bootloader, it's a signed Windows malware launcher and that's
> the kind of thing that results in that bootloader being added to the
> list of blacklisted binaries and suddenly your signed Linux
> bootloader isn't even a signed Linux bootloader.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-03  0:35               ` Florian Philipp
@ 2012-06-03  1:39                 ` Michael Mol
  2012-06-03  2:04                   ` BRM
  0 siblings, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-03  1:39 UTC (permalink / raw
  To: gentoo-user

On Sat, Jun 2, 2012 at 8:35 PM, Florian Philipp <lists@binarywings.net> wrote:
> Am 03.06.2012 01:36, schrieb Michael Mol:
>> On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@coolmail.se> wrote:
>>> On 2012-06-02 22:10, Michael Mol wrote:
>>
>> [snip]
>>
> [...]
>>
>> The BIOS will only load a signed bootloader. The signed bootloader
>> will only load a signed kernel. The signed kernel will...do whatever
>> you tell it to do.
>>
>
> According to Matthew's blog post, Fedora patched Grub2 and the kernel to
> avoid loading custom code into them:
> - Deactivate grub2 plugins
> - Sign all kernel modules and disallow unsigned ones
> - Prevent access to PCI through userland
> - Sanitize the kernel command line

Yeah, I read his blog post via lwn.net. I forgot some of the details.


>
>>> What does that mean to a source based "distro"?
>>
>> It's going to make building and installing grub and the kernel
>> trickier; you'll have to get them signed. And that's going to be a
>> PITA for anyone who does developers.
>>
>> What it *really* means is that someone who wants to run Linux as a
>> hobbyist or developer is going to disable "SecureBoot", and then fall
>> back to business as usual.
>>
>
> Yeah, the only way for Gentoo to have secure boot is a) let each user
> register with Microsoft, b) provide a binary kernel and boot loader.

If you have a need to get a secure Gentoo boot, and you don't need to
boot Windows 8, then (as I understand it) you can also purge the UEFI
BIOS of Microsoft's key and install your own.

>
>>> Also, I would assume a legitimate key would be able to
>>> sign pretty much any binary so a key that Fedora uses could be used to
>>> sign malware for Windows, which then would be blacklisted by
>>> Microsoft...
>>
>> If Fedora allows their key to sign crap, then their key will get revoked.
>>
>> What I hope (I don't know) is whether or not the signing system
>> involved allows chaining.  i.e., with SSL, I can generate my own key,
>> get it signed by a CA, and then bundle the CA's public key and my
>> public key when I go on to sign _another_ key.
>>
>> So, could I generate a key, have Fedora sign it, and then use my key
>> to sign my binaries? If my key is used to do malicious things,
>> Fedora's off the hook, and it's only my key which gets revoked.
>>
>
> Consider the exact approach Fedora takes: They've only made a certified
> stage-1 boot loader. This boot loader then loads grub2 (signed with a
> custom Fedora key, nothing chained back to MS) which then loads a
> custom-signed kernel. This allows them to avoid authenticating against
> MS every time they update grub or the kernel.
>
> This means if you want to certify with Fedora, you don't need to chain
> up to MS as long as you use their stage-1 boot loader. However, if I was
> part of Fedora, I wouldn't risk my key by signing other people's stuff.
> Mainboard makers won't look twice when they see rootkits with Fedora
> boot loaders.

Yeah, that's not the kind of thing I was thinking about.

With SSL's PKI, someone like StartSSL has a CA cert.

I generate my own key, have StartSSL sign my key. My brother generates
a key, and I sign his.

Now my brother takes his key and sends you a signed email.

Now, you've never heard of me, and the crypto signature attached to
that email doesn't mean anything. However, if he bundles my public key
along with his public key in that email, then you can see that my
public key was signed by someone you _do_ know. Now you have a chain
of signatures showing the relationship between that email and the root
CA.

Now here's the interesting part, and what I was alluding to wrt signed
binaries and key revocation.

Let's say _my_ key is leaked. My brother send you an email signed with
his key. You look at that key, you see that key hasn't been revoked.
You look at the key that signed that key, and you see that _that_ key
_has_ been revoked. You can then choose to not trust keys signed by
that key.

Now let's say my _brother's_ key is leaked, and so he revokes it. Any
new emails signed with that key can be seen to be invalid. However,
_my_ key is still considered valid; I can still sign things with it.

That's the kind of thing I was thinking about. If you allow key chains
to be deep, rather than forcing them to be wide, you can wield
blacklists like a scalpel, rather than a bludgeon.

>
>>> and how is malware defined? Anything that would be
>>> detrimental to Microsoft?
>>
>> Dunno. I imagine it comes down to whatever the chief key's owner
>> doesn't want running on the same hardware while SecureBoot is enabled.
>> Rootkits come to mind.
>>
>
> To quote Matthew:
>> If I take a signed Linux bootloader and then use it to boot something
>> that looks like an unsigned Linux kernel, I've instead potentially
>> just booted a piece of malware. And if that malware can attack
>> Windows then the signed Linux bootloader is no longer just a signed
>> Linux bootloader, it's a signed Windows malware launcher and that's
>> the kind of thing that results in that bootloader being added to the
>> list of blacklisted binaries and suddenly your signed Linux
>> bootloader isn't even a signed Linux bootloader.

What kind of signature is the bootloader checking, anyway?

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-03  1:39                 ` Michael Mol
@ 2012-06-03  2:04                   ` BRM
  2012-06-03  2:16                     ` Michael Mol
  0 siblings, 1 reply; 33+ messages in thread
From: BRM @ 2012-06-03  2:04 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

> From: Michael Mol <mikemol@gmail.com>

> On Sat, Jun 2, 2012 at 8:35 PM, Florian Philipp <lists@binarywings.net> 
> wrote:
>>  Am 03.06.2012 01:36, schrieb Michael Mol:
>>>  On Sat, Jun 2, 2012 at 6:50 PM, pk <peterk2@coolmail.se> wrote:
>>>>  On 2012-06-02 22:10, Michael Mol wrote:
>>> 
>>>  [snip]
>>> 
>>  [...]
>>> 
>>>  The BIOS will only load a signed bootloader. The signed bootloader
>>>  will only load a signed kernel. The signed kernel will...do whatever
>>>  you tell it to do.
>>> 
>> 
>>  According to Matthew's blog post, Fedora patched Grub2 and the kernel 
> to
>>  avoid loading custom code into them:
>>  - Deactivate grub2 plugins
>>  - Sign all kernel modules and disallow unsigned ones
>>  - Prevent access to PCI through userland
>>  - Sanitize the kernel command line
> 
> Yeah, I read his blog post via lwn.net. I forgot some of the details.
> 
> 
>> 
>>>>  What does that mean to a source based "distro"?
>>> 
>>>  It's going to make building and installing grub and the kernel
>>>  trickier; you'll have to get them signed. And that's going to 
> be a
>>>  PITA for anyone who does developers.
>>> 
>>>  What it *really* means is that someone who wants to run Linux as a
>>>  hobbyist or developer is going to disable "SecureBoot", and 
> then fall
>>>  back to business as usual.
>>> 
>> 
>>  Yeah, the only way for Gentoo to have secure boot is a) let each user
>>  register with Microsoft, b) provide a binary kernel and boot loader.
> 
> If you have a need to get a secure Gentoo boot, and you don't need to
> boot Windows 8, then (as I understand it) you can also purge the UEFI
> BIOS of Microsoft's key and install your own.

well, on x86 for now...

> 
>> 
>>>>  Also, I would assume a legitimate key would be able to
>>>>  sign pretty much any binary so a key that Fedora uses could be used 
> to
>>>>  sign malware for Windows, which then would be blacklisted by
>>>>  Microsoft...
>>> 
>>>  If Fedora allows their key to sign crap, then their key will get 
> revoked.
>>> 
>>>  What I hope (I don't know) is whether or not the signing system
>>>  involved allows chaining.  i.e., with SSL, I can generate my own key,
>>>  get it signed by a CA, and then bundle the CA's public key and my
>>>  public key when I go on to sign _another_ key.
>>> 
>>>  So, could I generate a key, have Fedora sign it, and then use my key
>>>  to sign my binaries? If my key is used to do malicious things,
>>>  Fedora's off the hook, and it's only my key which gets revoked.
>>> 
>> 
>>  Consider the exact approach Fedora takes: They've only made a certified
>>  stage-1 boot loader. This boot loader then loads grub2 (signed with a
>>  custom Fedora key, nothing chained back to MS) which then loads a
>>  custom-signed kernel. This allows them to avoid authenticating against
>>  MS every time they update grub or the kernel.
>> 
>>  This means if you want to certify with Fedora, you don't need to chain
>>  up to MS as long as you use their stage-1 boot loader. However, if I was
>>  part of Fedora, I wouldn't risk my key by signing other people's 
> stuff.
>>  Mainboard makers won't look twice when they see rootkits with Fedora
>>  boot loaders.
> 
> Yeah, that's not the kind of thing I was thinking about.
> 
> With SSL's PKI, someone like StartSSL has a CA cert.
> 
> I generate my own key, have StartSSL sign my key. My brother generates
> a key, and I sign his.
> 
> Now my brother takes his key and sends you a signed email.
> 
> Now, you've never heard of me, and the crypto signature attached to
> that email doesn't mean anything. However, if he bundles my public key
> along with his public key in that email, then you can see that my
> public key was signed by someone you _do_ know. Now you have a chain
> of signatures showing the relationship between that email and the root
> CA.
> 
> Now here's the interesting part, and what I was alluding to wrt signed
> binaries and key revocation.
> 
> Let's say _my_ key is leaked. My brother send you an email signed with
> his key. You look at that key, you see that key hasn't been revoked.
> You look at the key that signed that key, and you see that _that_ key
> _has_ been revoked. You can then choose to not trust keys signed by
> that key.
> 
> Now let's say my _brother's_ key is leaked, and so he revokes it. Any
> new emails signed with that key can be seen to be invalid. However,
> _my_ key is still considered valid; I can still sign things with it.
> 
> That's the kind of thing I was thinking about. If you allow key chains
> to be deep, rather than forcing them to be wide, you can wield
> blacklists like a scalpel, rather than a bludgeon.

In theory that's how key signing systems are suppose to work.
In practice, they rarely implement the blacklists as they are (i) hard to maintain,
and (ii) hard to distribute in an effective manner.

Honestly, I don't expect SecureBoot to last very long.
Either MS and the OEMs will be forced to always allow users to disable it,
or they'll be simply drop it - kind of like they did with TPM requirements that were
talked about 10 years back and never came to fruition.

>>>>  and how is malware defined? Anything that would be
>>>>  detrimental to Microsoft?
>>> 
>>>  Dunno. I imagine it comes down to whatever the chief key's owner
>>>  doesn't want running on the same hardware while SecureBoot is enabled.
>>>  Rootkits come to mind.
>>> 
>> 
>>  To quote Matthew:
>>>  If I take a signed Linux bootloader and then use it to boot something
>>>  that looks like an unsigned Linux kernel, I've instead potentially
>>>  just booted a piece of malware. And if that malware can attack
>>>  Windows then the signed Linux bootloader is no longer just a signed
>>>  Linux bootloader, it's a signed Windows malware launcher and 
> that's
>>>  the kind of thing that results in that bootloader being added to the
>>>  list of blacklisted binaries and suddenly your signed Linux
>>>  bootloader isn't even a signed Linux bootloader.
> 
> What kind of signature is the bootloader checking, anyway?

Regardless of the check, it'll never be sufficient.

Ben




^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-03  2:04                   ` BRM
@ 2012-06-03  2:16                     ` Michael Mol
  2012-06-04 13:33                       ` BRM
  0 siblings, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-03  2:16 UTC (permalink / raw
  To: gentoo-user

On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@yahoo.com> wrote:
>> From: Michael Mol <mikemol@gmail.com>
>

[snip]

>
> In theory that's how key signing systems are suppose to work.
> In practice, they rarely implement the blacklists as they are (i) hard to maintain,
> and (ii) hard to distribute in an effective manner.

Indeed. While Firefox, Chromium, et al check certificate revocation
lists, Microsoft doesn't; they distribute them as part of Windows
Update.

>
> Honestly, I don't expect SecureBoot to last very long.
> Either MS and the OEMs will be forced to always allow users to disable it,
> or they'll be simply drop it - kind of like they did with TPM requirements that were
> talked about 10 years back and never came to fruition.

TPM is still around for organizations which can use them. And,
honestly, I've been annoyed that they haven't been widespread, nor
easy to pick up in the aftermarket. (They come with a random number
generator...just about any HRNG is going to be better than none.)

I see something like SecureBoot as being useful in corporate and
military security contexts. I don't see it lasting in SOHO
environments.

[snip]

>> What kind of signature is the bootloader checking, anyway?
>
> Regardless of the check, it'll never be sufficient.

Sure; ultimately, all DRM solutions get cracked.

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 23:36             ` Michael Mol
  2012-06-03  0:35               ` Florian Philipp
@ 2012-06-03  6:57               ` Walter Dnes
  2012-06-03 11:07                 ` Florian Philipp
  1 sibling, 1 reply; 33+ messages in thread
From: Walter Dnes @ 2012-06-03  6:57 UTC (permalink / raw
  To: gentoo-user

On Sat, Jun 02, 2012 at 07:36:51PM -0400, Michael Mol wrote

> The BIOS will only load a signed bootloader. The signed bootloader
> will only load a signed kernel.

  OK, so I sign LILO.  What code is in there that prevents LILO from
loading whatever kernel I've compiled?

> The signed kernel will...do whatever you tell it to do.

  Define "kernel"... no... seriously.
1) Could it actually be a hypervisor?

2) Or maybe another copy of LILO which proceeds to load the actual
kernel?

-- 
Walter Dnes <waltdnes@waltdnes.org>



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-03  6:57               ` Walter Dnes
@ 2012-06-03 11:07                 ` Florian Philipp
  0 siblings, 0 replies; 33+ messages in thread
From: Florian Philipp @ 2012-06-03 11:07 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1775 bytes --]

Am 03.06.2012 08:57, schrieb Walter Dnes:
> On Sat, Jun 02, 2012 at 07:36:51PM -0400, Michael Mol wrote
> 
>> The BIOS will only load a signed bootloader. The signed bootloader
>> will only load a signed kernel.
> 
>   OK, so I sign LILO.  What code is in there that prevents LILO from
> loading whatever kernel I've compiled?
> 

Nothing. The point is, if you sign software that is used (or can be
used) for malware, your key will be blacklisted. That's why Fedora takes
the measures I've listed: They don't want to have their key revoked.

>> The signed kernel will...do whatever you tell it to do.
> 
>   Define "kernel"... no... seriously.
> 1) Could it actually be a hypervisor?
> 
> 2) Or maybe another copy of LILO which proceeds to load the actual
> kernel?
> 

Sure, whatever floats your boat. UEFI only checks the boot loader
directly. After that, it is the boot loader's responsibility to keep the
next stage secure. But if you allow unchecked access to the hardware
through whatever signed code you have, your key will be blacklisted. To
quote Matthew again:

> Secure boot is built on the idea that all code that can touch the
> hardware directly is trusted, and any untrusted code must go through
> the trusted code. This can be circumvented if users can execute
> arbitrary code in the kernel. So, we'll be moving to requiring signed
> kernel modules and locking down certain aspects of kernel
> functionality. The most obvious example is that it won't be possible
> to access PCI regions directly from userspace, which means all
> graphics cards will need kernel drivers. Userspace modesetting will
> be a thing of the past. Again, disabling secure boot will disable
> these restrictions.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02 22:50           ` pk
  2012-06-02 23:36             ` Michael Mol
@ 2012-06-04 12:48             ` Mick
  2012-06-04 12:57               ` Michael Mol
  2012-06-04 17:42               ` pk
  1 sibling, 2 replies; 33+ messages in thread
From: Mick @ 2012-06-04 12:48 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 2620 bytes --]

On Saturday 02 Jun 2012 23:50:58 pk wrote:
> On 2012-06-02 22:10, Michael Mol wrote:
> > I expect the chief mechanism is at the manufacturer's end; blacklisted
> > keys get included on shipment.
> 
> Makes sense.
> 
> > It's also probable that the OS kernel can tell the UEFI BIOS about new
> > keys to blacklist. I expect that'll be a recurring thing in the
> > Monthly batch of security updates Microsoft puts out. (Makes sense,
> > really; if malware is using a key, blacklist that key.)
> 
> Yes, would expect something like this. Secure boot supposedly prevents
> "unauthorized firmware, operating systems or UEFI drivers" at boot time.
> So if I interpret this correctly it would mean that if I have, say, an
> old graphics card with an old firmware (vga bios) I can't use it with
> "secure boot". More interestingly, how is an "operating system" defined?
> Does it mean only the kernel itself or does it mean a full-blown OS with
> init and other supporting software? What does that mean to a source
> based "distro"? Also, I would assume a legitimate key would be able to
> sign pretty much any binary so a key that Fedora uses could be used to
> sign malware for Windows, which then would be blacklisted by
> Microsoft... and how is malware defined? Anything that would be
> detrimental to Microsoft?
> 
> > Someone linked to some absolutely terrible stuff being built into
> > Intel's Ivy Bridge...it's plausible it will be possible to deploy
> 
> You mean:
> https://en.wikipedia.org/wiki/Intel_insider#Intel_Insider_and_remote-contro
> l
> 
> ?
> 
> > blacklist key updates over the network within a couple years.
> 
> Well, UEFI already implements remote management:
> http://www.uefi.org/news/UEFI_Overview.pdf (page 13)
> ... so implementing an automatic update over the network, preferably via
> SMM/SMI so that the operating system cannot intervene would be possible
> already today... and you've lost control of your computer.
> 
> I'm putting on my tinfoil hat now and I'm going to pretend it's
> raining... :-/
> 
> Best regards
> 
> Peter K

Can I please join you if you have a spare hat?

On a 3 year old Dell laptop manufactured by the famous and well known Winbond 
Electronics </sarcasm> I see this under lshw:

  *-remoteaccess UNCLAIMED
       vendor: Intel
       physical id: 2
       capabilities: outbound

but have not found a way of interrogating it or in anyway accessing it to 
understand what it is or does ...


Note, this is not a UEFI machine: 

capabilities: smbios-2.6 dmi-2.6 vsyscall32


-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 12:48             ` Mick
@ 2012-06-04 12:57               ` Michael Mol
  2012-06-05 12:52                 ` Mick
  2012-06-04 17:42               ` pk
  1 sibling, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-04 12:57 UTC (permalink / raw
  To: gentoo-user

On Mon, Jun 4, 2012 at 8:48 AM, Mick <michaelkintzios@gmail.com> wrote:
> On Saturday 02 Jun 2012 23:50:58 pk wrote:

[snip]

>> I'm putting on my tinfoil hat now and I'm going to pretend it's
>> raining... :-/

> Can I please join you if you have a spare hat?
>
> On a 3 year old Dell laptop manufactured by the famous and well known Winbond
> Electronics </sarcasm> I see this under lshw:
>
>  *-remoteaccess UNCLAIMED
>       vendor: Intel
>       physical id: 2
>       capabilities: outbound
>
> but have not found a way of interrogating it or in anyway accessing it to
> understand what it is or does ...
>
>
> Note, this is not a UEFI machine:
>
> capabilities: smbios-2.6 dmi-2.6 vsyscall32

What proc?

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-03  2:16                     ` Michael Mol
@ 2012-06-04 13:33                       ` BRM
  2012-06-04 14:34                         ` Michael Mol
  0 siblings, 1 reply; 33+ messages in thread
From: BRM @ 2012-06-04 13:33 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

> From: Michael Mol <mikemol@gmail.com>

>On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@yahoo.com> wrote:
>>> From: Michael Mol <mikemol@gmail.com>
>[snip]
>> In theory that's how key signing systems are suppose to work.
>> In practice, they rarely implement the blacklists as they are (i) hard to maintain,
>> and (ii) hard to distribute in an effective manner.
>
>Indeed. While Firefox, Chromium, et al check certificate revocation
>lists, Microsoft doesn't; they distribute them as part of Windows
>Update.


Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers.


>> Honestly, I don't expect SecureBoot to last very long.
>> Either MS and the OEMs will be forced to always allow users to disable it,
>> or they'll be simply drop it - kind of like they did with TPM requirements that were
>> talked about 10 years back and never came to fruition.
>
>TPM is still around for organizations which can use them. And,
>honestly, I've been annoyed that they haven't been widespread, nor
>easy to pick up in the aftermarket. (They come with a random number
>generator...just about any HRNG is going to be better than none.)


Yes TPM (originally named Palladium) is still around. However its use is almost non-existent.
When it was proposed, it was to include "SecureBoot" and enable secure Internet transactions, etc.
None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot.


>I see something like SecureBoot as being useful in corporate and
>military security contexts. I don't see it lasting in SOHO
>environments.


Certain environments as you say may find it useful; but then those environments already have very stringent controls
over the computers in those environments, often to the inability of people to do their job.


>[snip]
>>> What kind of signature is the bootloader checking, anyway?
>> Regardless of the check, it'll never be sufficient.
>Sure; ultimately, all DRM solutions get cracked.


TPM and SecureBoot will by design fail.
We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur.

Ben




^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 13:33                       ` BRM
@ 2012-06-04 14:34                         ` Michael Mol
  2012-06-04 21:13                           ` BRM
                                             ` (2 more replies)
  0 siblings, 3 replies; 33+ messages in thread
From: Michael Mol @ 2012-06-04 14:34 UTC (permalink / raw
  To: gentoo-user

On Mon, Jun 4, 2012 at 9:33 AM, BRM <bm_witness@yahoo.com> wrote:
>> From: Michael Mol <mikemol@gmail.com>
>
>>On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@yahoo.com> wrote:
>>>> From: Michael Mol <mikemol@gmail.com>
>>[snip]
>>> In theory that's how key signing systems are suppose to work.
>>> In practice, they rarely implement the blacklists as they are (i) hard to maintain,
>>> and (ii) hard to distribute in an effective manner.
>>
>>Indeed. While Firefox, Chromium, et al check certificate revocation
>>lists, Microsoft doesn't; they distribute them as part of Windows
>>Update.
>
> Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers.

Only if the workstation is so configured. (i.e. it's joined to the
domain, or has otherwise had configuration placed on it.) It's not
just a matter of setting up a caching proxy server and modifying the
files before they're delivered.

And if you think that's a risk, then consider that your local domain
administrator has the ability to push out the organization CA into
your system cert store as a trusted CA, and can then go on to create
global certs your browser won't complain about.

If you don't own the network, don't expect to be able to do things on
it that the network administrator doesn't want you to do. At the same
time, he can't force (much...see DHCP) configuration onto your machine
without your being aware, at least if you're at least somewhat
responsible in knowing how configuring your machine works.


>>> Honestly, I don't expect SecureBoot to last very long.
>>> Either MS and the OEMs will be forced to always allow users to disable it,
>>> or they'll be simply drop it - kind of like they did with TPM requirements that were
>>> talked about 10 years back and never came to fruition.
>>
>>TPM is still around for organizations which can use them. And,
>>honestly, I've been annoyed that they haven't been widespread, nor
>>easy to pick up in the aftermarket. (They come with a random number
>>generator...just about any HRNG is going to be better than none.)
>
>
> Yes TPM (originally named Palladium) is still around. However its use is almost non-existent.

No, TPM wasn't originally named Palladium. TPM was the keystore
hardware component of a broader system named Palladium. The TPM is
just a keystore and a crypto accelerator, both of which are two things
valuable to _everybody_. The massive backlash against Palladium is at
least part of why even a generally useful hardware component like the
TPM never got distributed. Imagine if the floating-point coprocessor
was ditched in x86 because people thought it was a conspiracy  to
induce difficult-to-resolve math precision errors from careless use of
floating point arithmetic.

The part you're worried about is the curtained memory and hardware
lockout, which it sounds like Intel is distributing with vPro.

> When it was proposed, it was to include "SecureBoot" and enable secure Internet transactions, etc.
> None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot.
>
>
>>I see something like SecureBoot as being useful in corporate and
>>military security contexts. I don't see it lasting in SOHO
>>environments.
>
>
> Certain environments as you say may find it useful; but then those environments already have very stringent controls
> over the computers in those environments, often to the inability of people to do their job.

The nature of those controls stems at least in part from the ability
to use other means to maintain an overall security policy. With more
tools comes the ability to be more flexible, allowing people to do
more convenient convenient things (such as insert a flash drive or CD
into a computer) at lower risk (it'll be more difficult to
accidentally boot from that flash drive or CD).

It's for similar reasons the Linux kernel has support for fine-grained
access controls; you can grant additional privileges where needed, and
reduce the base set of privileges required.

And here's a use case that might seem worthwhile...Say you've got
hardware with SecureBoot. Now, you don't run Windows, so you don't
care about the UEFI BIOS having Microsoft's key. Instead, you're a
Linux guy, and you're very privacy conscious; perhaps you're a
security consultant or contractor. Or perhaps you're worried about
corporate espionage. Or perhaps you're simply afraid of governments.

You can flush Microsoft's key from BIOS and insert your own. Sign your
bootloader, kernel and initramfs. Set up your / filesystem to be fully
encrypted. And configure things such that if BIOS isn't operating in
SecureBoot mode with your key, it won't even mount and decrypt your /
filesystem.

You've just denied access to any existing forensic tool which would
either examine your hard disk or operate as a rootkit. The only thing
that's going to get your data is a live inspection of your RAM
(tricky! but doable.) or a rubber hose.

>>>> What kind of signature is the bootloader checking, anyway?
>>> Regardless of the check, it'll never be sufficient.
>>Sure; ultimately, all DRM solutions get cracked.
>
> TPM and SecureBoot will by design fail.

Please be aware of the distinction between TPM from Palladium. In
fact, you should probably be aware of the distinction between tools
and policies, too.

> We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur.

We'll see. Don't forget _you can turn the thing off_. I expect the
lawsuits will come around when the ability to turn the thing off or
reconfigure it is removed.

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 12:48             ` Mick
  2012-06-04 12:57               ` Michael Mol
@ 2012-06-04 17:42               ` pk
  1 sibling, 0 replies; 33+ messages in thread
From: pk @ 2012-06-04 17:42 UTC (permalink / raw
  To: gentoo-user

On 2012-06-04 14:48, Mick wrote:

> Can I please join you if you have a spare hat?

Sure, got lots of (virtual) hats... here's one: ^ (may be a bit small) ;-)

> On a 3 year old Dell laptop manufactured by the famous and well
> known Winbond Electronics </sarcasm> I see this under lshw:
> 
> *-remoteaccess UNCLAIMED vendor: Intel physical id: 2 capabilities:
> outbound
> 
> but have not found a way of interrogating it or in anyway accessing
> it to understand what it is or does ...
> 
> 
> Note, this is not a UEFI machine:
> 
> capabilities: smbios-2.6 dmi-2.6 vsyscall32

https://en.wikipedia.org/wiki/System_Management_BIOS
https://en.wikipedia.org/wiki/Desktop_Management_Interface

SMBIOS does support out-of-band management, which may or may not be
scary, depending on who's in control of it...

https://en.wikipedia.org/wiki/Out-of-band_management

If you have an Intel processor in that laptop that supports vPro, I
would assume it's a "professional" laptop, and as such it might make
sense (assuming the IT department in your company is in control).

Here's an interesting link that describes some of the problems with
modern computers (it's an approx 1 hour long video from Google Tech
talks, regarding coreboot):
https://www.youtube.com/watch?v=X72LgcMpM9k

Best regards

Peter K



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 14:34                         ` Michael Mol
@ 2012-06-04 21:13                           ` BRM
  2012-06-04 22:44                             ` Michael Mol
  2012-06-04 22:51                           ` William Kenworthy
  2012-06-05  6:15                           ` Walter Dnes
  2 siblings, 1 reply; 33+ messages in thread
From: BRM @ 2012-06-04 21:13 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

> From: Michael Mol <mikemol@gmail.com>

>On Mon, Jun 4, 2012 at 9:33 AM, BRM <bm_witness@yahoo.com> wrote:
>>> From: Michael Mol <mikemol@gmail.com>
>>
>>>On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@yahoo.com> wrote:
>>>>> From: Michael Mol <mikemol@gmail.com>
>>>[snip]
>>>> In theory that's how key signing systems are suppose to work.
>>>> In practice, they rarely implement the blacklists as they are (i) hard to maintain,
>>>> and (ii) hard to distribute in an effective manner.
>>>
>>>Indeed. While Firefox, Chromium, et al check certificate revocation
>>>lists, Microsoft doesn't; they distribute them as part of Windows
>>>Update.
>>
>> Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers.
>
>Only if the workstation is so configured. (i.e. it's joined to the
>domain, or has otherwise had configuration placed on it.) It's not
>just a matter of setting up a caching proxy server and modifying the
>files before they're delivered.
>
>And if you think that's a risk, then consider that your local domain
>administrator has the ability to push out the organization CA into
>your system cert store as a trusted CA, and can then go on to create
>global certs your browser won't complain about.
>
>If you don't own the network, don't expect to be able to do things on
>it that the network administrator doesn't want you to do. At the same
>time, he can't force (much...see DHCP) configuration onto your machine
>without your being aware, at least if you're at least somewhat
>responsible in knowing how configuring your machine works.


True.

My point was that since Microsoft is using Windows Update to update the CRLs, that the corporate IT departments could decide not to allow the update to go through.
Of course, it's their risk if they don't allow it through. Further, they can push out CRLs even if Microsoft doesn't send them.

But that's not the concern unless you want your device free of the IT department, and that's a wholly different issue.
And of course, they can't change the CA on a WinRT device for SecureBoot.

>>>> Honestly, I don't expect SecureBoot to last very long.
>>>> Either MS and the OEMs will be forced to always allow users to disable it,
>>>> or they'll be simply drop it - kind of like they did with TPM requirements that were
>>>> talked about 10 years back and never came to fruition.
>>>
>>>TPM is still around for organizations which can use them. And,
>>>honestly, I've been annoyed that they haven't been widespread, nor
>>>easy to pick up in the aftermarket. (They come with a random number
>>>generator...just about any HRNG is going to be better than none.)
>>
>>
>> Yes TPM (originally named Palladium) is still around. However its use is almost non-existent.
>
>No, TPM wasn't originally named Palladium. TPM was the keystore
>hardware component of a broader system named Palladium. The TPM is
>just a keystore and a crypto accelerator, both of which are two things
>valuable to _everybody_. The massive backlash against Palladium is at
>least part of why even a generally useful hardware component like the
>TPM never got distributed. Imagine if the floating-point coprocessor
>was ditched in x86 because people thought it was a conspiracy  to
>induce difficult-to-resolve math precision errors from careless use of
>floating point arithmetic.
>
>The part you're worried about is the curtained memory and hardware
>lockout, which it sounds like Intel is distributing with vPro.


TPM, SecureBoot, and Palladium are both beasts which need to be removed.


>> When it was proposed, it was to include "SecureBoot" and enable secure Internet transactions, etc.
>> None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot.
>>>I see something like SecureBoot as being useful in corporate and
>>>military security contexts. I don't see it lasting in SOHO
>>>environments.
>> Certain environments as you say may find it useful; but then those environments already have very stringent controls
>> over the computers in those environments, often to the inability of people to do their job.
>
>The nature of those controls stems at least in part from the ability
>to use other means to maintain an overall security policy. With more
>tools comes the ability to be more flexible, allowing people to do
>more convenient convenient things (such as insert a flash drive or CD
>into a computer) at lower risk (it'll be more difficult to
>accidentally boot from that flash drive or CD).


How often do people accidentally boot from the wrong device?
It's probably more of an issue for USB devices than floppy/CDs any more, but still.

And why destroy people's ability to boot from USB/CD/Floppy?
Let's not forget this makes it harder for Gentoo (and numerous other distros and OSes) to go on devices.

The user should own and control the device, not a corporate entity (except where said corporate entity purchased the device in the first place).


>It's for similar reasons the Linux kernel has support for fine-grained
>access controls; you can grant additional privileges where needed, and
>reduce the base set of privileges required.


Linux has fine grain control because that's what's required for Common Criteria, and what the NSA implemented for SELinux.

>And here's a use case that might seem worthwhile...Say you've got
>hardware with SecureBoot. Now, you don't run Windows, so you don't
>care about the UEFI BIOS having Microsoft's key. Instead, you're a
>Linux guy, and you're very privacy conscious; perhaps you're a
>security consultant or contractor. Or perhaps you're worried about
>corporate espionage. Or perhaps you're simply afraid of governments.
>
>You can flush Microsoft's key from BIOS and insert your own. Sign your
>bootloader, kernel and initramfs. Set up your / filesystem to be fully
>encrypted. And configure things such that if BIOS isn't operating in
>SecureBoot mode with your key, it won't even mount and decrypt your /
>filesystem.
>
>You've just denied access to any existing forensic tool which would
>either examine your hard disk or operate as a rootkit. The only thing
>that's going to get your data is a live inspection of your RAM
>(tricky! but doable.) or a rubber hose.


Or you just pull the hard drive and do the decryption elsewhere.
All it does is lock you out of your own system, and hand the keys to someone else.

And, on WinRT approved devices you will not be allowed to change the Keys for SecureBoot period (not even corporate IT).
On x86-based Windows devices you'll be allowed to, but it's only a matter of time before Microsoft will try to pull the plug there too.


>>>>> What kind of signature is the bootloader checking, anyway?
>>>> Regardless of the check, it'll never be sufficient.
>>>Sure; ultimately, all DRM solutions get cracked.
>>
>> TPM and SecureBoot will by design fail.
>
>Please be aware of the distinction between TPM from Palladium. In
>fact, you should probably be aware of the distinction between tools
>and policies, too.


That won't resolve the issue.


>> We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur.
>
>We'll see. Don't forget _you can turn the thing off_. I expect the
>lawsuits will come around when the ability to turn the thing off or
>reconfigure it is removed.


As noted, WinRT devices will not allow you to change the keys; they also won't allow you to turn off Secure Boot.
If MS can get SecureBoot out there and keep it enabled, then it's just a matter of time before they try to do the same thing to the rest of the platforms.
So expect the lawsuits to happen if it even gets out to start with.


Ben




^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 21:13                           ` BRM
@ 2012-06-04 22:44                             ` Michael Mol
  0 siblings, 0 replies; 33+ messages in thread
From: Michael Mol @ 2012-06-04 22:44 UTC (permalink / raw
  To: gentoo-user

On Mon, Jun 4, 2012 at 5:13 PM, BRM <bm_witness@yahoo.com> wrote:
>> From: Michael Mol <mikemol@gmail.com>
>
>>On Mon, Jun 4, 2012 at 9:33 AM, BRM <bm_witness@yahoo.com> wrote:
>>>> From: Michael Mol <mikemol@gmail.com>
>>>
>>>>On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@yahoo.com> wrote:
>>>>>> From: Michael Mol <mikemol@gmail.com>

[snip]

>>>>> Honestly, I don't expect SecureBoot to last very long.
>>>>> Either MS and the OEMs will be forced to always allow users to disable it,
>>>>> or they'll be simply drop it - kind of like they did with TPM requirements that were
>>>>> talked about 10 years back and never came to fruition.
>>>>
>>>>TPM is still around for organizations which can use them. And,
>>>>honestly, I've been annoyed that they haven't been widespread, nor
>>>>easy to pick up in the aftermarket. (They come with a random number
>>>>generator...just about any HRNG is going to be better than none.)
>>>
>>>
>>> Yes TPM (originally named Palladium) is still around. However its use is almost non-existent.
>>
>>No, TPM wasn't originally named Palladium. TPM was the keystore
>>hardware component of a broader system named Palladium. The TPM is
>>just a keystore and a crypto accelerator, both of which are two things
>>valuable to _everybody_. The massive backlash against Palladium is at
>>least part of why even a generally useful hardware component like the
>>TPM never got distributed. Imagine if the floating-point coprocessor
>>was ditched in x86 because people thought it was a conspiracy  to
>>induce difficult-to-resolve math precision errors from careless use of
>>floating point arithmetic.
>>
>>The part you're worried about is the curtained memory and hardware
>>lockout, which it sounds like Intel is distributing with vPro.
>
>
> TPM, SecureBoot, and Palladium are both beasts which need to be removed.

I'm still confused by your malice toward the TPM. What part of 'crypto
coprocessor' or 'crypto accelerator' doesn't get you thinking about
faster SSH and SSL connection setup and data transfers?

[snip]

>>The nature of those controls stems at least in part from the ability
>>to use other means to maintain an overall security policy. With more
>>tools comes the ability to be more flexible, allowing people to do
>>more convenient convenient things (such as insert a flash drive or CD
>>into a computer) at lower risk (it'll be more difficult to
>>accidentally boot from that flash drive or CD).
>
>
> How often do people accidentally boot from the wrong device?

You know how many Linux install flash drives are floating around? What
about OS install CDs? A curious artifact of both is that they're left
in systems so _frequently_, they're often designed to proceed back to
a disk-based boot after a timeout.

> It's probably more of an issue for USB devices than floppy/CDs any more, but still.

The Gentoo 12.1 LiveDVD also has the timeout-and-boot. And it's quite
common for people to leave flash drives plugged into systems over boot
cycles; it's like a portable 'My Documents' folder.

>
> And why destroy people's ability to boot from USB/CD/Floppy?

You're not; you can turn off SecureBoot in BIOS, and then boot from
USB or CD as normal. Though why you'd boot from a floppy on a system
that has SecureBoot, I have no idea. (It's questionable whether
systems shipping SecureBoot will even have floppy controllers...)

Being able to disable SecureBoot is going to be _critical_ for
application of diagnostics, forensics and system repair. And if it
comes down to it, you'll likely be able to get those tools signed,
too.

> Let's not forget this makes it harder for Gentoo (and numerous other distros and OSes) to go on devices.

Nobody's forgotten that. Now let's not forget how easy it will be to
turn SecureBoot off. You're likely to have a harder time getting
latest-grade RAM functioning in a brand-new new system, what with
timings and gang modes to contend with.

> The user should own and control the device, not a corporate entity (except where said corporate entity purchased the device in the first place).

Fully concur...and I'm moderately impressed; most people I've seen
argue things like this can't make that distinction.

>>It's for similar reasons the Linux kernel has support for fine-grained
>>access controls; you can grant additional privileges where needed, and
>>reduce the base set of privileges required.
>
>
> Linux has fine grain control because that's what's required for Common Criteria, and what the NSA implemented for SELinux.

SELinux required it because it was necessary. Linux included SELinux
because it's legitimately useful. Anything legitimately useful for
someone else to keep you out of their stuff is legitimately useful for
you to keep them out of yours.

>>And here's a use case that might seem worthwhile...Say you've got
>>hardware with SecureBoot. Now, you don't run Windows, so you don't
>>care about the UEFI BIOS having Microsoft's key. Instead, you're a
>>Linux guy, and you're very privacy conscious; perhaps you're a
>>security consultant or contractor. Or perhaps you're worried about
>>corporate espionage. Or perhaps you're simply afraid of governments.
>>
>>You can flush Microsoft's key from BIOS and insert your own. Sign your
>>bootloader, kernel and initramfs. Set up your / filesystem to be fully
>>encrypted. And configure things such that if BIOS isn't operating in
>>SecureBoot mode with your key, it won't even mount and decrypt your /
>>filesystem.
>>
>>You've just denied access to any existing forensic tool which would
>>either examine your hard disk or operate as a rootkit. The only thing
>>that's going to get your data is a live inspection of your RAM
>>(tricky! but doable.) or a rubber hose.
>
>
> Or you just pull the hard drive and do the decryption elsewhere.

Decryption is not trivial.

> All it does is lock you out of your own system, and hand the keys to someone else.
>
> And, on WinRT approved devices you will not be allowed to change the Keys for SecureBoot period (not even corporate IT).
> On x86-based Windows devices you'll be allowed to, but it's only a matter of time before Microsoft will try to pull the plug there too.
>
>
>>>>>> What kind of signature is the bootloader checking, anyway?
>>>>> Regardless of the check, it'll never be sufficient.
>>>>Sure; ultimately, all DRM solutions get cracked.
>>>
>>> TPM and SecureBoot will by design fail.
>>
>>Please be aware of the distinction between TPM from Palladium. In
>>fact, you should probably be aware of the distinction between tools
>>and policies, too.
>
>
> That won't resolve the issue.
>
>
>>> We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur.
>>
>>We'll see. Don't forget _you can turn the thing off_. I expect the
>>lawsuits will come around when the ability to turn the thing off or
>>reconfigure it is removed.
>
>
> As noted, WinRT devices will not allow you to change the keys; they also won't allow you to turn off Secure Boot.

If I properly understand what's discussed elsewhere in the thread, the
capability to turn off SecureBoot will be required for Windows 8
certification on x86 hardware. So, again, you _will_ be able to turn
it off.

Sure, that may mean you can't access the WinRT subsystem on Windows
with SecureBoot turned off. But you can still boot Linux. Want to boot
Windows and get WinRT? Turn SecureBoot back on and  boot Windows.

Yes, dual-booting is going to be a bigger pain than it already is.
And, honestly, I've never really understood dual-booting; if you spend
a long time in one OS, and a short time in another OS, much (most?) of
the time spend in that secondary OS is going to be spent in updates.
Which makes that secondary OS either very insecure for you, or a very
poor, nigh pointless experience.

> If MS can get SecureBoot out there and keep it enabled, then it's just a matter of time before they try to do the same thing to the rest of the platforms.
> So expect the lawsuits to happen if it even gets out to start with.

I did some googling after your repeated mentions of WinRT. From the
look of things, it's going to be hitting ARM as well as x86. ARM is
going to have a rougher time of it, though. Microsoft is being more
aggressive in that market...and no surprise; ARM platforms are eating
Microsoft's lunch--they're where you want to be in the mobile and
low-power markets. I think it unlikely Microsoft's going to succeed,
though; they're late to the game, and old giants (Nokia, RIM) are
collapsing.

-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 14:34                         ` Michael Mol
  2012-06-04 21:13                           ` BRM
@ 2012-06-04 22:51                           ` William Kenworthy
  2012-06-05  6:15                           ` Walter Dnes
  2 siblings, 0 replies; 33+ messages in thread
From: William Kenworthy @ 2012-06-04 22:51 UTC (permalink / raw
  To: gentoo-user

On Mon, 2012-06-04 at 10:34 -0400, Michael Mol wrote:
> On Mon, Jun 4, 2012 at 9:33 AM, BRM <bm_witness@yahoo.com> wrote:
> >> From: Michael Mol <mikemol@gmail.com>
> >
> >>On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@yahoo.com> wrote:
> >>>> From: Michael Mol <mikemol@gmail.com>
> >>[snip]
> >>> In theory that's how key signing systems are suppose to work.
...
> >>I see something like SecureBoot as being useful in corporate and
> >>military security contexts. I don't see it lasting in SOHO
> >>environments.
> >
> >
> >...
> 
> And here's a use case that might seem worthwhile...Say you've got
> hardware with SecureBoot. Now, you don't run Windows, so you don't
> care about the UEFI BIOS having Microsoft's key. Instead, you're a
> Linux guy, and you're very privacy conscious; perhaps you're a
> security consultant or contractor. Or perhaps you're worried about
> corporate espionage. Or perhaps you're simply afraid of governments.
> 
> You can flush Microsoft's key from BIOS and insert your own. Sign your
> bootloader, kernel and initramfs. Set up your / filesystem to be fully
> encrypted. And configure things such that if BIOS isn't operating in
> SecureBoot mode with your key, it won't even mount and decrypt your /
> filesystem.
> 
> You've just denied access to any existing forensic tool which would
> either examine your hard disk or operate as a rootkit. The only thing
> that's going to get your data is a live inspection of your RAM
> (tricky! but doable.) or a rubber hose.
> 
...

We have a security researcher at work who specialises in the forensics
side - expert witness in court and does data retrieval etc ... I dont
think he has had anyone seriously try to hide anything yet, but if the
above becomes common in the non-law abiding set, the govt will have it
back doored or dissappeared (banned from sale or heavily controlled).
"Think of the children ..." which is overused here in Oz comes to mind.

Providing tools to strip cell phone data and PC hard disks seems to be a
popular/profitable business to be in at the moment :)

BillK






^ permalink raw reply	[flat|nested] 33+ messages in thread

* [gentoo-user] Re: Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-02  2:26 [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers William Kenworthy
  2012-06-02  7:43 ` Florian Philipp
@ 2012-06-04 23:30 ` Nikos Chantziaras
  1 sibling, 0 replies; 33+ messages in thread
From: Nikos Chantziaras @ 2012-06-04 23:30 UTC (permalink / raw
  To: gentoo-user

On 02/06/12 05:26, William Kenworthy wrote:
> http://boingboing.net/2012/05/31/lockdown-freeopen-os-maker-p.html
>
> and something I had not considered with the whole idea was even bootable
> cd's and usb keys for rescue will need the same privileges ...

We were "chipping" our Playstations and XBOXes, now we'll be chipping 
PCs too. :-/




^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 14:34                         ` Michael Mol
  2012-06-04 21:13                           ` BRM
  2012-06-04 22:51                           ` William Kenworthy
@ 2012-06-05  6:15                           ` Walter Dnes
  2 siblings, 0 replies; 33+ messages in thread
From: Walter Dnes @ 2012-06-05  6:15 UTC (permalink / raw
  To: gentoo-user

On Mon, Jun 04, 2012 at 10:34:58AM -0400, Michael Mol wrote
> On Mon, Jun 4, 2012 at 9:33 AM, BRM <bm_witness@yahoo.com> wrote:
> 
> > We'll see if SecureBoot actually even makes it to market; if it
> > does, expect some Class Action lawsuits to occur.
> 
> We'll see. Don't forget _you can turn the thing off_. I expect the
> lawsuits will come around when the ability to turn the thing off or
> reconfigure it is removed.

  The reason there is so much hate for TPM/Palladium/etc is that they're
tied into failed legislation proposed by former South Carolina Senator
Fritz Hollings.  He was jokingly referred to as "the Democrat from
Disney", because he seemed to spend more energy representing big media
than the people of his state.

  Fire up Google and look up the terms...
SSSCA CBDTPA "Fritz chip"

  This was intended to be draconian mandatory DRM on every PC.
Importing or building one without it would result in five to twenty
years in prison, and fines between $50,000 and $1 million.  It would've
effectively outlawed linux.  MS is trying to use its corporate muscle to
do via market manipulation what legislators couldn't.

-- 
Walter Dnes <waltdnes@waltdnes.org>



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-04 12:57               ` Michael Mol
@ 2012-06-05 12:52                 ` Mick
  2012-06-05 14:21                   ` Michael Mol
  0 siblings, 1 reply; 33+ messages in thread
From: Mick @ 2012-06-05 12:52 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 968 bytes --]

On Monday 04 Jun 2012 13:57:11 Michael Mol wrote:
> On Mon, Jun 4, 2012 at 8:48 AM, Mick <michaelkintzios@gmail.com> wrote:
> > On Saturday 02 Jun 2012 23:50:58 pk wrote:
> [snip]
> 
> >> I'm putting on my tinfoil hat now and I'm going to pretend it's
> >> raining... :-/
> > 
> > Can I please join you if you have a spare hat?
> > 
> > On a 3 year old Dell laptop manufactured by the famous and well known
> > Winbond Electronics </sarcasm> I see this under lshw:
> > 
> >  *-remoteaccess UNCLAIMED
> >       vendor: Intel
> >       physical id: 2
> >       capabilities: outbound
> > 
> > but have not found a way of interrogating it or in anyway accessing it to
> > understand what it is or does ...
> > 
> > 
> > Note, this is not a UEFI machine:
> > 
> > capabilities: smbios-2.6 dmi-2.6 vsyscall32
> 
> What proc?

If you mean what /proc is this remoteaccess thing in, I don't really know.  
How can I find it?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-05 12:52                 ` Mick
@ 2012-06-05 14:21                   ` Michael Mol
  2012-06-06  1:14                     ` Bill Kenworthy
  0 siblings, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-05 14:21 UTC (permalink / raw
  To: gentoo-user

On Tue, Jun 5, 2012 at 8:52 AM, Mick <michaelkintzios@gmail.com> wrote:
> On Monday 04 Jun 2012 13:57:11 Michael Mol wrote:
>> On Mon, Jun 4, 2012 at 8:48 AM, Mick <michaelkintzios@gmail.com> wrote:
>> > On Saturday 02 Jun 2012 23:50:58 pk wrote:
>> [snip]
>>
>> >> I'm putting on my tinfoil hat now and I'm going to pretend it's
>> >> raining... :-/
>> >
>> > Can I please join you if you have a spare hat?
>> >
>> > On a 3 year old Dell laptop manufactured by the famous and well known
>> > Winbond Electronics </sarcasm> I see this under lshw:
>> >
>> >  *-remoteaccess UNCLAIMED
>> >       vendor: Intel
>> >       physical id: 2
>> >       capabilities: outbound
>> >
>> > but have not found a way of interrogating it or in anyway accessing it to
>> > understand what it is or does ...
>> >
>> >
>> > Note, this is not a UEFI machine:
>> >
>> > capabilities: smbios-2.6 dmi-2.6 vsyscall32
>>
>> What proc?
>
> If you mean what /proc is this remoteaccess thing in, I don't really know.
> How can I find it?

Sorry...what CPU do you have?

cat /proc/cpuinfo


-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-05 14:21                   ` Michael Mol
@ 2012-06-06  1:14                     ` Bill Kenworthy
  2012-06-06 19:40                       ` Mick
  0 siblings, 1 reply; 33+ messages in thread
From: Bill Kenworthy @ 2012-06-06  1:14 UTC (permalink / raw
  To: gentoo-user

On Tue, 2012-06-05 at 10:21 -0400, Michael Mol wrote:
> On Tue, Jun 5, 2012 at 8:52 AM, Mick <michaelkintzios@gmail.com> wrote:
> > On Monday 04 Jun 2012 13:57:11 Michael Mol wrote:
> >> On Mon, Jun 4, 2012 at 8:48 AM, Mick <michaelkintzios@gmail.com> wrote:
> >> > On Saturday 02 Jun 2012 23:50:58 pk wrote:
> >> [snip]
> >>
> >> >> I'm putting on my tinfoil hat now and I'm going to pretend it's
> >> >> raining... :-/
> >> >
> >> > Can I please join you if you have a spare hat?
> >> >
> >> > On a 3 year old Dell laptop manufactured by the famous and well known
> >> > Winbond Electronics </sarcasm> I see this under lshw:
> >> >
> >> >  *-remoteaccess UNCLAIMED
> >> >       vendor: Intel
> >> >       physical id: 2
> >> >       capabilities: outbound
> >> >
> >> > but have not found a way of interrogating it or in anyway accessing it to
> >> > understand what it is or does ...
> >> >
> >> >
> >> > Note, this is not a UEFI machine:
> >> >
> >> > capabilities: smbios-2.6 dmi-2.6 vsyscall32
> >>
> >> What proc?
> >
> > If you mean what /proc is this remoteaccess thing in, I don't really know.
> > How can I find it?
> 
> Sorry...what CPU do you have?
> 
> cat /proc/cpuinfo
> 
> 

Maybe this? -
https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface

There is a kernel interface (under power management I think) and I seem
to remember some of my recent motherboards come with it.  If you have a
dell, look up iDRECV which does something similar.  Its not only the
cpu, but the motherboard you need to worry about.

BillK






^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-06  1:14                     ` Bill Kenworthy
@ 2012-06-06 19:40                       ` Mick
  2012-06-06 19:50                         ` Michael Mol
  2012-06-06 23:50                         ` William Kenworthy
  0 siblings, 2 replies; 33+ messages in thread
From: Mick @ 2012-06-06 19:40 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 2851 bytes --]

On Wednesday 06 Jun 2012 02:14:45 Bill Kenworthy wrote:
> On Tue, 2012-06-05 at 10:21 -0400, Michael Mol wrote:
> > On Tue, Jun 5, 2012 at 8:52 AM, Mick <michaelkintzios@gmail.com> wrote:
> > > On Monday 04 Jun 2012 13:57:11 Michael Mol wrote:
> > >> On Mon, Jun 4, 2012 at 8:48 AM, Mick <michaelkintzios@gmail.com> wrote:
> > >> > On Saturday 02 Jun 2012 23:50:58 pk wrote:
> > >> [snip]
> > >> 
> > >> >> I'm putting on my tinfoil hat now and I'm going to pretend it's
> > >> >> raining... :-/
> > >> > 
> > >> > Can I please join you if you have a spare hat?
> > >> > 
> > >> > On a 3 year old Dell laptop manufactured by the famous and well
> > >> > known
> > >> > 
> > >> > Winbond Electronics </sarcasm> I see this under lshw:
> > >> >  *-remoteaccess UNCLAIMED
> > >> >  
> > >> >       vendor: Intel
> > >> >       physical id: 2
> > >> >       capabilities: outbound
> > >> > 
> > >> > but have not found a way of interrogating it or in anyway accessing
> > >> > it to understand what it is or does ...
> > >> > 
> > >> > 
> > >> > Note, this is not a UEFI machine:
> > >> > 
> > >> > capabilities: smbios-2.6 dmi-2.6 vsyscall32
> > >> 
> > >> What proc?
> > > 
> > > If you mean what /proc is this remoteaccess thing in, I don't really
> > > know. How can I find it?
> > 
> > Sorry...what CPU do you have?
> > 
> > cat /proc/cpuinfo
> 
> Maybe this? -
> https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface
> 
> There is a kernel interface (under power management I think) and I seem
> to remember some of my recent motherboards come with it.  If you have a
> dell, look up iDRECV which does something similar.  Its not only the
> cpu, but the motherboard you need to worry about.
> 
> BillK

This is my CPU, a first generation i7:

cat /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 30
model name	: Intel(R) Core(TM) i7 CPU       Q 720  @ 1.60GHz
stepping	: 5
microcode	: 0x4
cpu MHz		: 933.000
cache size	: 6144 KB
physical id	: 0
siblings	: 8
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov 
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm 
constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc 
aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm 
sse4_1 sse4_2 popcnt lahf_lm ida dts tpr_shadow vnmi flexpriority ept vpid
bogomips	: 3192.11
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

You note that "power management:" above is empty.

grep-ping the /proc tree for remoteaccess does not bring up anything.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-06 19:40                       ` Mick
@ 2012-06-06 19:50                         ` Michael Mol
  2012-06-09 13:28                           ` Mick
  2012-06-06 23:50                         ` William Kenworthy
  1 sibling, 1 reply; 33+ messages in thread
From: Michael Mol @ 2012-06-06 19:50 UTC (permalink / raw
  To: gentoo-user

On Wed, Jun 6, 2012 at 3:40 PM, Mick <michaelkintzios@gmail.com> wrote:

[snip]

>
> This is my CPU, a first generation i7:
>
> cat /proc/cpuinfo
> processor       : 0
> vendor_id       : GenuineIntel
> cpu family      : 6
> model           : 30
> model name      : Intel(R) Core(TM) i7 CPU       Q 720  @ 1.60GHz
> stepping        : 5
> microcode       : 0x4
> cpu MHz         : 933.000
> cache size      : 6144 KB
> physical id     : 0
> siblings        : 8
> core id         : 0
> cpu cores       : 4
> apicid          : 0
> initial apicid  : 0
> fpu             : yes
> fpu_exception   : yes
> cpuid level     : 11
> wp              : yes
> flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
> pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm
> constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc
> aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm
> sse4_1 sse4_2 popcnt lahf_lm ida dts tpr_shadow vnmi flexpriority ept vpid
> bogomips        : 3192.11
> clflush size    : 64
> cache_alignment : 64
> address sizes   : 36 bits physical, 48 bits virtual
> power management:
>
> You note that "power management:" above is empty.
>
> grep-ping the /proc tree for remoteaccess does not bring up anything.

According to Intel's site, your processor has the vPro "feature" in it.

http://ark.intel.com/products/43122/Intel-Core-i7-720QM-Processor-(6M-Cache-1_60-GHz)

Can you find the device you noticed under /sys?


-- 
:wq



^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-06 19:40                       ` Mick
  2012-06-06 19:50                         ` Michael Mol
@ 2012-06-06 23:50                         ` William Kenworthy
  2012-06-07 14:28                           ` Stroller
  1 sibling, 1 reply; 33+ messages in thread
From: William Kenworthy @ 2012-06-06 23:50 UTC (permalink / raw
  To: gentoo-user

> power management:
> 
> You note that "power management:" above is empty.
> 
> grep-ping the /proc tree for remoteaccess does not bring up anything.

I dont mean cpu power management, I meant under the kernel config option
which you may not have enabled. As for the Dell iDREC, google it.

This stuff is "old" in enterprise equipment, and I suspect not widely
used but it is out there.

BillK






^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-06 23:50                         ` William Kenworthy
@ 2012-06-07 14:28                           ` Stroller
  0 siblings, 0 replies; 33+ messages in thread
From: Stroller @ 2012-06-07 14:28 UTC (permalink / raw
  To: gentoo-user


On 7 June 2012, at 00:50, William Kenworthy wrote:
> ...
> I dont mean cpu power management, I meant under the kernel config option
> which you may not have enabled. As for the Dell iDREC, google it.
> 
> This stuff is "old" in enterprise equipment, and I suspect not widely
> used but it is out there.

Did you mean Dell DRAC? 

This is not obsolete at all, although in current models it is branded iDRAC.

I don't believe DRAC remote access is really related to IPMI, however.
I'm pretty sure that IPMI will work with a PowerEdge even lacking the DRAC module.

OP is taking about having a laptop, anyway, so that seems like a clupea rubra.

Stroller.




^ permalink raw reply	[flat|nested] 33+ messages in thread

* Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers
  2012-06-06 19:50                         ` Michael Mol
@ 2012-06-09 13:28                           ` Mick
  0 siblings, 0 replies; 33+ messages in thread
From: Mick @ 2012-06-09 13:28 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 2103 bytes --]

On Wednesday 06 Jun 2012 20:50:38 Michael Mol wrote:
> On Wed, Jun 6, 2012 at 3:40 PM, Mick <michaelkintzios@gmail.com> wrote:
> 
> [snip]
> 
> > This is my CPU, a first generation i7:
> > 
> > cat /proc/cpuinfo
> > processor       : 0
> > vendor_id       : GenuineIntel
> > cpu family      : 6
> > model           : 30
> > model name      : Intel(R) Core(TM) i7 CPU       Q 720  @ 1.60GHz
> > stepping        : 5
> > microcode       : 0x4
> > cpu MHz         : 933.000
> > cache size      : 6144 KB
> > physical id     : 0
> > siblings        : 8
> > core id         : 0
> > cpu cores       : 4
> > apicid          : 0
> > initial apicid  : 0
> > fpu             : yes
> > fpu_exception   : yes
> > cpuid level     : 11
> > wp              : yes
> > flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
> > mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
> > syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl
> > xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx smx est
> > tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ida dts tpr_shadow
> > vnmi flexpriority ept vpid bogomips        : 3192.11
> > clflush size    : 64
> > cache_alignment : 64
> > address sizes   : 36 bits physical, 48 bits virtual
> > power management:
> > 
> > You note that "power management:" above is empty.
> > 
> > grep-ping the /proc tree for remoteaccess does not bring up anything.
> 
> According to Intel's site, your processor has the vPro "feature" in it.
> 
> http://ark.intel.com/products/43122/Intel-Core-i7-720QM-Processor-(6M-Cache
> -1_60-GHz)
> 
> Can you find the device you noticed under /sys?

No, nothing when I search for remote or remoteaccess or access ...

If this Intel AMT, or vPRO thingy is outside the MoBo chipset then it may not 
get probed or be accessible by the kernel?

But then, how does lshw see it?

  *-remoteaccess UNCLAIMED
       vendor: Intel
       physical id: 2
       capabilities: outbound   <--what does this mean?  O_O
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 33+ messages in thread

end of thread, other threads:[~2012-06-09 13:29 UTC | newest]

Thread overview: 33+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-06-02  2:26 [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers William Kenworthy
2012-06-02  7:43 ` Florian Philipp
2012-06-02  8:13   ` pk
2012-06-02 13:00   ` Michael Mol
2012-06-02 13:12     ` Florian Philipp
2012-06-02 19:51       ` pk
2012-06-02 20:10         ` Michael Mol
2012-06-02 22:50           ` pk
2012-06-02 23:36             ` Michael Mol
2012-06-03  0:35               ` Florian Philipp
2012-06-03  1:39                 ` Michael Mol
2012-06-03  2:04                   ` BRM
2012-06-03  2:16                     ` Michael Mol
2012-06-04 13:33                       ` BRM
2012-06-04 14:34                         ` Michael Mol
2012-06-04 21:13                           ` BRM
2012-06-04 22:44                             ` Michael Mol
2012-06-04 22:51                           ` William Kenworthy
2012-06-05  6:15                           ` Walter Dnes
2012-06-03  6:57               ` Walter Dnes
2012-06-03 11:07                 ` Florian Philipp
2012-06-04 12:48             ` Mick
2012-06-04 12:57               ` Michael Mol
2012-06-05 12:52                 ` Mick
2012-06-05 14:21                   ` Michael Mol
2012-06-06  1:14                     ` Bill Kenworthy
2012-06-06 19:40                       ` Mick
2012-06-06 19:50                         ` Michael Mol
2012-06-09 13:28                           ` Mick
2012-06-06 23:50                         ` William Kenworthy
2012-06-07 14:28                           ` Stroller
2012-06-04 17:42               ` pk
2012-06-04 23:30 ` [gentoo-user] " Nikos Chantziaras

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox