LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Installing on a new laptop
From:	zxq9 <[log in to unmask]>
Reply To:	zxq9 <[log in to unmask]>
Date:	Wed, 27 Feb 2013 21:27:36 +0900
Content-Type:	text/plain
Parts/Attachments:	text/plain (79 lines)

On 02/27/2013 04:20 AM, Paul Robert Marino wrote:
> I have an X120e as well and simply changing the hard drive doesn't fix
> the eufi issue.
> the first answer to this string is correct with two cavorts RedHat got
> two signed certs one fro RHEL and the other for Fedora. apparently the
> process was a nightmare but they will work with secure boot. for that
> reason I run fedora as my primary os on my laptop and if i have to do
> any Scientific Linux testing I run it in a VM
> (and yes an AMD fusion chip can runs a single VM surprisingly well)..

We supply our customers with Linux and dual-boot systems, and recently 
have run headlong into the UEFI madness. Any new consumer-grade x86 
system will have an escape key on boot that gets you into setup the same 
way old BIOS-based boards did (this can be tricky with keyboardless 
tablets -- sometimes a USB keyboard can work, sometimes its just plain 
random like pressing a volume button or something). The weird part with 
UEFI is that the key is hidden, non-standard between makers -- even 
different between board models, never announced on the boot screen, has 
an amazingly short activation window (usually 1 second), and (so far in 
our experience) never mentioned in any vendor documentation other than 
(occasionally) Toshiba laptop manuals. We've resorted to playing "F-key 
piano" within when testing new models. Silly, but it often works.

Within the UEFI setup there will be an option for enabling "UEFI" or 
"CRM" and changing the boot source order. "CRM" indicates a BIOS-style 
boot and works with anything BIOS booting did. UEFI is, of course, UEFI, 
and requires a key. There is supposedly a way to insert your own key 
into the UEFI registry so that you can sign your own bootloaders, but 
I've seen zero evidence of this myself.

Its almost like someone is trying to kill off the smaller OS and 
hardware vendors and make corporate IT into an Old Boys' club again -- 
but such a sweeping conspiracy would have raised an outcry somewhere...?

There is a silver lining. The board makers themselves are out to sell 
boards and laptops and tablets and can be reasoned with. My company is 
an extremely small player in the hardware field but we've had positive 
response from vendors when inquiring about having our own keys included 
on boards alongside Microsoft's when doing bulk orders. We haven't had 
to go that route yet so I'm unsure how much of a pain that would 
actually be to manage (doesn't appear much more difficult than managing 
repository keys though, for example), but this leaves the door open for 
even tiny computing companies and larger IT departments to arrange for 
their own "secure" boot keys to be pre-installed by the board 
manufacturers and not violate Microsoft's requirements, even on ARM. 
That said, since we don't do showroom marketing anyway neither we nor 
our suppliers have a need to put little "Windows8 Ready" stickers on 
anything they ship to us anyway.

 From a security perspective it is important to note that physical 
access to a system still equates to compromise and UEFI can't do 
anything to prevent that. It is also interesting to note that as we've 
thought through security compromise based on the boot cycle, leaving the 
Windows key alongside our key leaves a door open for someone to write 
malware that is based on a valid version of Windows that runs the "real" 
system in a VM anyway, and there isn't a clean way out of that.

Blah blah blah. My point is that there is a possibility for OS 
suppliers/providers to provide their own UEFI keys because board makers 
are willing to play ball (so far). This does require, however, that at 
the smaller level OS and hardware vendors have to merge or coordinate 
somewhat in practice -- but as we've found over the last few years, when 
you do the software you start wanting to do the hardware, too, so it 
works out. The downside is that unless you're already established or 
have the investment backing required to maintain an entire OS yourself 
it will be pretty much impossible to start a non-Windows computing 
company from here on out

If we sensed much demand for consumer-end (as in, personal, not 
business) systems running $distro then we'd probably jump on the chance 
to run our own UEFI-based program -- but we're troubled by the idea that 
doing so would lock buyers of our hardware into $distro (or at least our 
bootloader, depending on how things were set up) the same way MS has 
done, and that isn't really something we see as a competitive advantage 
in a market niche loaded with hordes of people who want to/need to try 
out different things on their own. Tricky.

-z

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV