1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-discuss] FSF anf UEFI SecureBoot
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20FSF%20anf%20UEFI%20SecureBoot&In-Reply-To=%3CCAMkUjuHaG5Lq2wm768FkXmxvC2NEwPCypZmN%3DOQsPEcEpw9rHA%40mail.gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="009028.html">
<LINK REL="Next" HREF="009031.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-discuss] FSF anf UEFI SecureBoot</H1>
<B>Ludovic V Meyer</B>
<A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20FSF%20anf%20UEFI%20SecureBoot&In-Reply-To=%3CCAMkUjuHaG5Lq2wm768FkXmxvC2NEwPCypZmN%3DOQsPEcEpw9rHA%40mail.gmail.com%3E"
TITLE="[Mageia-discuss] FSF anf UEFI SecureBoot">ludo.v.meyer at gmail.com
</A><BR>
<I>Mon Dec 31 15:53:51 CET 2012</I>
<P><UL>
<LI>Previous message: <A HREF="009028.html">[Mageia-discuss] FSF anf UEFI SecureBoot
</A></li>
<LI>Next message: <A HREF="009031.html">[Mageia-discuss] FSF anf UEFI SecureBoot
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#9030">[ date ]</a>
<a href="thread.html#9030">[ thread ]</a>
<a href="subject.html#9030">[ subject ]</a>
<a href="author.html#9030">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>2012/12/30 AL13N <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-discuss">alien at rmail.be</A>>
><i> Op zondag 30 december 2012 21:17:38 schreef Ludovic V Meyer:
</I>><i> > Except it does let 3rd parties OS boot, at least on X86, since the norm
</I>><i> > mandate it.
</I>><i> > And for arm tablet, no one reacted when Apple, Acer, Samsung, Archos and
</I>><i> > lots of others locked down their devices, so trying to argue that we now
</I>><i> > expect them to be open would not work.
</I>><i>
</I>><i> actually, they didn't. you can root each of those iinm.
</I>><i>
</I>
Using 3rd exploit is not really what I call open, they are not supported,
likely against DMCA most of the time, and IMHO not reliable.
Not to mention that it requires a manual intervention on each device. If we
take the example of Apple, they closed every hole after a while when it was
practical to do,and used the existing leagal way to prevent them ( see in
2009,
the update of the developper agreement ). And since I know you will surely
talk of if, the DCMA ruling for jailbreaking is just for phone, because
unlike France, telcos in USA do not have to unlock your phone after a few
months.
Not to mention that afaik, despites them being "not closed" by your
definition, stuff like Iphonelinux are all dead in the water.
Cyanogenmod only exist because from time to time, Google do a code drop,
and they still suffer from needing a custom fork of the kernel.
So if the goal is "to be able to run what I want on my device", that's
something that can already be done for applications. What people should say
is "running what I want provided no money directly leave my pocket, but I
do not mind spending days figuring how to do it, cause I prefer spend 1
week than giving 100 bucks".
this is about having a secure key hardcoded "burned" in the device, which is
><i> both stupid and annoying. because since apps need to be secured too, too
</I>><i> many
</I>><i> people have access to the root key. which means the chance of leak is
</I>><i> higher.
</I>><i> which means that your devices need to be thrown out when the rootkey is
</I>><i> compromised or when it's deemed obsolete and a new key will be in place.
</I>><i>
</I>
The key is handled by Verisign, and since that's their jobs since around 18
years, I think they are qualified to do it.
How many time in 18 years was the root cert of Verisign be compromised ?
Also, you are totally wrong about throwing the device if the key is leaked.
This happened to the PS3 due to the world-record breaking ignorance of Sony
( or one sub contractor ), and AFAIK, the PS3 all around the world still
work ( and also, no one formally complained about gaming consoles being
closed, despite some of them just being powerful PCs ). The same goes for
various phones/tablet who have been broken this way ( like the Asus
transformer, AFAIK ).
Burning a key in silicium is what Apple have been doing since a long time.
That's also the modus operandi of TPM modules. They are used by several
banking institutions as a way to make sure the harddrive is protected with
bitlocker ( cause you do not want your highest executive laptops to be
stolen and that this cause privacy and security issues ). IE, that is
viewed as sufficient for FIPS certification and usage for military grade or
banking grade security. And I am pretty sure the private key is stored in
some HSM like the nShield solo or similar device.
Not everybody work like your client ( the one we talked about yesterday on
IRC, if I am not wrong ). Some people take security seriously, and check
what happens. But that's not security of the root key that matter, since no
one ever asked for public scrutiny or a independent audit.
the thing here is that since you buy a device, it's yours and you can do
><i> what
</I>><i> you want with it. why would you give other parties control over your
</I>><i> device?
</I>><i> it's stupid. there needs to be a way as an owner to decide which root keys
</I>><i> you
</I>><i> trust or not.
</I>><i>
</I>
You do not give control to another party, you delegate trust handling to
another party.
That's exactly what you do with a browser. Or your bank, or anything in
life.
Again, the norm mandate to be able to disable secureboot on x86 and to
choose the key. The whole petition is about those that do not follow the
norm, and for those, the incentive was to not being Windows 8 certified. So
as annoying this will be, that's the best way to find something that let
you run Linux.
><i> > And regarding using consumer protection channels, no one did anything to
</I>><i> > make anything move since one year despite being widely publicized on
</I>><i> > various blogs, so how is your proposal different ?
</I>><i> >
</I>><i> > Talk is cheap, if every people who proposed that ( for example, on
</I>><i> slashdot
</I>><i> > or various foras where nerds are discussing ), someone would have started
</I>><i> > the work by the time. No one did, and that's because everybody that would
</I>><i> > be serious enough know this is built on wrong assumptions.
</I>><i>
</I>><i> in the end talk is cheap and noone does anything about it. or rather
</I>><i> instead
</I>><i> of working together, all the companies who back the major linuxes decide
</I>><i> to go
</I>><i> down the easy route. (like subscribing into the microsoft program and using
</I>><i> their root key...)
</I>><i>
</I>
All plans that requires someone else to do anything is just a way to blame
failure to someone else. If you delegate all your action to someone else,
you lose the right to complain about this group not doing what you want.
Only delusional fools would believe otherwise.
In fact, hardware not working on Linux is a decades old problem. We all
have seen how boycott worked so well to have more hardware supported on
linux, and how people happily trade freedom for convenience ( like nvidia
drivers, printers, etc, etc ). People should just do a reality check from
time to time before proposing the same plan again and again. Last time I
checked, humans didn't evolve from goldfish, so maybe we could stop acting
like them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-discuss/attachments/20121231/5a18e88e/attachment.html>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="009028.html">[Mageia-discuss] FSF anf UEFI SecureBoot
</A></li>
<LI>Next message: <A HREF="009031.html">[Mageia-discuss] FSF anf UEFI SecureBoot
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#9030">[ date ]</a>
<a href="thread.html#9030">[ thread ]</a>
<a href="subject.html#9030">[ subject ]</a>
<a href="author.html#9030">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss
mailing list</a><br>
</body></html>
|
