Let me see if I understand the current situation. This question was
prompted by the question of a colleague attempting to use OpenSuSE (not
SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
booted running operating environment. The colleague wondered if SL
would fare better.
Depending upon the particular BIOS or BIOS equivalent, using MS Windows
8, it may be possible to disable Secure Boot and allow for SL to be
booted. Secure Boot, and many other technologies put forward by,
through, or under the auspices of the monopoly primarily exist to move
forward the market share, return on investment, and general economic
wealth of the monopoly (not a surprise in oligopolistic non-market
economics).
SL with Fermilab participation is participating in projects that will
allow SL to boot on UEFI Secure Boot hardware without the use of any
monopoly operating environment software or applications -- Microsoft not
required. Presumably, TUV is participating as well as TUV
supported-for-fee environments must be able to reliably boot and run on
UEFI Secure Boot platforms without the use of monopoly software to
enable the booting process. Apple is not a matter for discussion
because Apple provides the entire hardware and software package, and
does not allow the use of MacOS on non-Apple hardware platforms.
Presumably VirtualBox and other means to allow MS Windows to run as a
guest environment has or will have some means to provide UEFI Secure
Boot to MS Windows guests requiring such.
At present, there is no production Linux that will reliably run on all
hardware platforms that use UEFI Secure Boot, but only MS Windows
envirnoments will do so on any hardware platform that proclaims
compliance with the monopoly ("certification").
Is the above substantially correct as of this instant?
Yasha Karant
On 09/24/2013 04:40 PM, Connie Sieh wrote:
> On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:
>
>> --001a11c379ecc5abcb04e7297e9d
>> Content-Type: text/plain; charset="ISO-8859-1"
>>
>> Down, boy.
>>
>> Scientific Linux is behind the times on available tools, because our
>> favorite upstream vendor has not yet released tools. Tools to work with
>> have been tested, effectively, with Fedora, and I expect our favorite
>> upstream vendor will include tools with release 7.x, which is not yet in
>> alpha or beta release. Check out
>> http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.htmlfor
>>
>> a good breakdown of the issues and trade-offs.
>>
>> UEFI is part of the old "Palladium" project from Microsoft, relabeled as
>> "Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
>> security, for reasons that I could spend a whole day discussing.In the
>> meantime, yes, you can disalbe it for SL booting if needed, and
>> reasonably
>> expect our favorite upstream vendor to have shims available when
>> version 7
>> is publishedL they're already working well with recent Fedora
>> releases. I'd
>> also *expect* those shims to be workable for SL 7, but someone may
>> have to
>> plunk down some cash to get some keys signed, and spend some extra effort
>> to maintain the security needed for the relevant shims to work well
>> with SL
>> kernels and environments.
>
> Last week at LinuxCon North America the shim developers were still
> developing.
>
> I attended the UEFI Plugfest last week as part of Linux Con. Microsoft
> gave a presentation on UEFI signing. The presentation will be posted to
> uefi.org website.
>
> We are working on this. Fermilab is a member of the UEFI forum .
>
> -Connie Sieh
>
>>
>>
>> On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant <[log in to unmask]> wrote:
>>
>>> Secure boot is enabled. Evidently, the only means to disable secure
>>> boot
>>> requires that a secure boot loader/configuration program be running --
>>> e.g., the MS proprietary boot loader (typically, supplied as part of MS
>>> Windows 8) must be used to disable secure boat if the UEFI actually
>>> permits
>>> this to be disabled (I have heard of some UEFI implementations that
>>> do not
>>> permit secure boot truly to be disabled).
>>>
>>> If Linux cannot handle this issue, then Linux is finished on all generic
>>> (e.g., not Apple that supplies both the hardware and operating
>>> environment
>>> software under a restrictive proprietary for-profit intellectual
>>> property
>>> license) X86-64 hardware, as (almost?) all current such hardware is MS 8
>>> (UEFI secure boot) compliant.
>>>
>>> Yasha Karant
>>>
>>> On 09/23/2013 10:29 PM, Connie Sieh wrote:
>>>
>>>> On Mon, 23 Sep 2013, Yasha Karant wrote:
>>>>
>>>> A colleague who uses SuSE non-enterprise for his professional
>>>>> (enterprise) workstations has now attempted to load the latest SuSE
>>>>> on a
>>>>> machine with a new generic (aftermarket) "gamer" UEFI X86-64
>>>>> motherboard. It does not properly boot. I do not have any UEFI
>>>>> motherboards, and thus no experience with SL6x on such motherboards.
>>>>>
>>>>
>>>> Is "secure boot" enabled in the UEFI ?
>>>>
>>>>
>>>>> Does anyone? Does SL6x boot correctly (and easily) on a UEFI
>>>>> motherboard? If so, he may switch to SL.
>>>>>
>>>>
>>>> Yes as long as "secure boot" is disabled .
>>>>
>>>>
>>>>> Yasha Karant
>>>>>
>>>>>
>>>> -connie sieh
>>>>
>>>
>>
>> --001a11c379ecc5abcb04e7297e9d
>> Content-Type: text/html; charset="ISO-8859-1"
>> Content-Transfer-Encoding: quoted-printable
>>
>> <div dir=3D"ltr"><div><div><div>Down, boy.<br><br></div>Scientific
>> Linux is=
>> behind the times on available tools, because our favorite upstream
>> vendor =
>> has not yet released tools. Tools to work with have been tested,
>> effectivel=
>> y, with Fedora, and I expect our favorite upstream vendor will include
>> tool=
>> s with release 7.x, which is not yet in alpha or beta release. Check
>> out <a=
>> href=3D"http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Sec=
>>
>> ure_Boot_Guide/index.html">http://docs.fedoraproject.org/en-US/Fedora/18/ht=
>>
>> ml-single/UEFI_Secure_Boot_Guide/index.html</a> for a good breakdown
>> of the=
>> issues and trade-offs.<br>
>> <br></div>UEFI is part of the old "Palladium" project from
>> Micros=
>> oft, relabeled as "Trusted Computing". It is aimed squarely
>> at DR=
>> M and vendor lock-in, not security, for reasons that I could spend a
>> whole =
>> day discussing.In the meantime, yes, you can disalbe it for SL booting
>> if n=
>> eeded, and reasonably expect our favorite upstream vendor to have
>> shims ava=
>> ilable when version 7 is publishedL they're already working well
>> with r=
>> ecent Fedora releases. I'd also *expect* those shims to be
>> workable for=
>> SL 7, but someone may have to plunk down some cash to get some keys
>> signed=
>> , and spend some extra effort to maintain the security needed for the
>> relev=
>> ant shims to work well with SL kernels and environments.<br>
>> </div></div><div class=3D"gmail_extra"><br><br><div
>> class=3D"gmail_quote">O=
>> n Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant <span dir=3D"ltr"><<a
>> href=
>> =3D"mailto:[log in to unmask]"
>> target=3D"_blank">[log in to unmask]</a>></=
>> span> wrote:<br>
>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>> .8ex;border-left:1p=
>> x #ccc solid;padding-left:1ex">Secure boot is enabled. =A0Evidently,
>> the on=
>> ly means to disable secure boot requires that a secure boot
>> loader/configur=
>> ation program be running -- e.g., the MS proprietary boot loader
>> (typically=
>> , supplied as part of MS Windows 8) must be used to disable secure
>> boat if =
>> the UEFI actually permits this to be disabled (I have heard of some
>> UEFI im=
>> plementations that do not permit secure boot truly to be disabled).<br>
>>
>> <br>
>> If Linux cannot handle this issue, then Linux is finished on all
>> generic (e=
>> .g., not Apple that supplies both the hardware and operating
>> environment so=
>> ftware under a restrictive proprietary for-profit intellectual
>> property lic=
>> ense) X86-64 hardware, as (almost?) all current such hardware is MS 8
>> (UEFI=
>> secure boot) compliant.<br>
>>
>> <br>
>> Yasha Karant<br>
>> <br>
>> On 09/23/2013 10:29 PM, Connie Sieh wrote:<br>
>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>> .8ex;border-left:1p=
>> x #ccc solid;padding-left:1ex">
>> On Mon, 23 Sep 2013, Yasha Karant wrote:<br>
>> <br>
>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>> .8ex;border-left:1p=
>> x #ccc solid;padding-left:1ex">
>> A colleague who uses SuSE non-enterprise for his professional<br>
>> (enterprise) workstations has now attempted to load the latest SuSE on
>> a<br=
>>>
>> machine with a new generic (aftermarket) "gamer" UEFI
>> =A0X86-64<b=
>> r>
>> motherboard. =A0It does not properly boot. =A0I do not have any UEFI<br>
>> motherboards, and thus no experience with SL6x on such motherboards.<br>
>> </blockquote>
>> <br>
>> Is "secure boot" enabled in the UEFI ?<br>
>> <br>
>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>> .8ex;border-left:1p=
>> x #ccc solid;padding-left:1ex">
>> <br>
>> Does anyone? =A0Does SL6x boot correctly (and easily) on a UEFI<br>
>> motherboard? =A0If so, he may switch to SL.<br>
>> </blockquote>
>> <br>
>> Yes as long as "secure boot" is disabled .<br>
>> <br>
>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>> .8ex;border-left:1p=
>> x #ccc solid;padding-left:1ex">
>> <br>
>> Yasha Karant<br>
>> <br>
>> </blockquote>
>> <br>
>> -connie sieh<br>
>> </blockquote>
>> </blockquote></div><br></div>
>>
>> --001a11c379ecc5abcb04e7297e9d--
>>
|
