On Tue, 24 Sep 2013, Yasha Karant wrote:
> Let me see if I understand the current situation. This question was
> prompted by the question of a colleague attempting to use OpenSuSE (not
> SL nor TUV) on UEFI Secure Boot who was not able to get a reliably
> booted running operating environment. The colleague wondered if SL
> would fare better.
>
> Depending upon the particular BIOS or BIOS equivalent, using MS Windows
> 8, it may be possible to disable Secure Boot and allow for SL to be
Using is not the "official status", it is "Windows 8 logo" use that
dictates secure boot. And if it is enabled then it is required to have a
way to disable it. Please give the vendors a chance with turning secure
boot off.
> booted. Secure Boot, and many other technologies put forward by,
> through, or under the auspices of the monopoly primarily exist to move
> forward the market share, return on investment, and general economic
> wealth of the monopoly (not a surprise in oligopolistic non-market
> economics).
>
> SL with Fermilab participation is participating in projects that will
> allow SL to boot on UEFI Secure Boot hardware without the use of any
This is only planned for SL 7 as RHEL 7 is expected to have secure boot
ability.
> monopoly operating environment software or applications -- Microsoft not
> required. Presumably, TUV is participating as well as TUV
> supported-for-fee environments must be able to reliably boot and run on
> UEFI Secure Boot platforms without the use of monopoly software to
> enable the booting process. Apple is not a matter for discussion
> because Apple provides the entire hardware and software package, and
> does not allow the use of MacOS on non-Apple hardware platforms.
> Presumably VirtualBox and other means to allow MS Windows to run as a
> guest environment has or will have some means to provide UEFI Secure
> Boot to MS Windows guests requiring such.
Since the requirement is to be allowed to use the "windows 8 logo" not
sure that this would be a issue .
>
> At present, there is no production Linux that will reliably run on all
> hardware platforms that use UEFI Secure Boot
That is true if you include Windows ARM systems because of the inability
to disable "Secure Boot" . x86_64 systems are a work in progress.
Depends on your definition of "production Linux". Ubuntu 12.04.4 LTS
should work.
-Connie Sieh
> but only MS Windows
> envirnoments will do so on any hardware platform that proclaims
> compliance with the monopoly ("certification").
>
> Is the above substantially correct as of this instant?
>
> Yasha Karant
>
> On 09/24/2013 04:40 PM, Connie Sieh wrote:
>> On Tue, 24 Sep 2013, Nico Kadel-Garcia wrote:
>>
>>> --001a11c379ecc5abcb04e7297e9d
>>> Content-Type: text/plain; charset="ISO-8859-1"
>>>
>>> Down, boy.
>>>
>>> Scientific Linux is behind the times on available tools, because our
>>> favorite upstream vendor has not yet released tools. Tools to work with
>>> have been tested, effectively, with Fedora, and I expect our favorite
>>> upstream vendor will include tools with release 7.x, which is not yet in
>>> alpha or beta release. Check out
>>> http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Secure_Boot_Guide/index.htmlfor
>>>
>>> a good breakdown of the issues and trade-offs.
>>>
>>> UEFI is part of the old "Palladium" project from Microsoft, relabeled as
>>> "Trusted Computing". It is aimed squarely at DRM and vendor lock-in, not
>>> security, for reasons that I could spend a whole day discussing.In the
>>> meantime, yes, you can disalbe it for SL booting if needed, and
>>> reasonably
>>> expect our favorite upstream vendor to have shims available when
>>> version 7
>>> is publishedL they're already working well with recent Fedora
>>> releases. I'd
>>> also *expect* those shims to be workable for SL 7, but someone may
>>> have to
>>> plunk down some cash to get some keys signed, and spend some extra effort
>>> to maintain the security needed for the relevant shims to work well
>>> with SL
>>> kernels and environments.
>>
>> Last week at LinuxCon North America the shim developers were still
>> developing.
>>
>> I attended the UEFI Plugfest last week as part of Linux Con. Microsoft
>> gave a presentation on UEFI signing. The presentation will be posted to
>> uefi.org website.
>>
>> We are working on this. Fermilab is a member of the UEFI forum .
>>
>> -Connie Sieh
>>
>>>
>>>
>>> On Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant <[log in to unmask]> wrote:
>>>
>>>> Secure boot is enabled. Evidently, the only means to disable secure
>>>> boot
>>>> requires that a secure boot loader/configuration program be running --
>>>> e.g., the MS proprietary boot loader (typically, supplied as part of MS
>>>> Windows 8) must be used to disable secure boat if the UEFI actually
>>>> permits
>>>> this to be disabled (I have heard of some UEFI implementations that
>>>> do not
>>>> permit secure boot truly to be disabled).
>>>>
>>>> If Linux cannot handle this issue, then Linux is finished on all generic
>>>> (e.g., not Apple that supplies both the hardware and operating
>>>> environment
>>>> software under a restrictive proprietary for-profit intellectual
>>>> property
>>>> license) X86-64 hardware, as (almost?) all current such hardware is MS 8
>>>> (UEFI secure boot) compliant.
>>>>
>>>> Yasha Karant
>>>>
>>>> On 09/23/2013 10:29 PM, Connie Sieh wrote:
>>>>
>>>>> On Mon, 23 Sep 2013, Yasha Karant wrote:
>>>>>
>>>>> A colleague who uses SuSE non-enterprise for his professional
>>>>>> (enterprise) workstations has now attempted to load the latest SuSE
>>>>>> on a
>>>>>> machine with a new generic (aftermarket) "gamer" UEFI X86-64
>>>>>> motherboard. It does not properly boot. I do not have any UEFI
>>>>>> motherboards, and thus no experience with SL6x on such motherboards.
>>>>>>
>>>>>
>>>>> Is "secure boot" enabled in the UEFI ?
>>>>>
>>>>>
>>>>>> Does anyone? Does SL6x boot correctly (and easily) on a UEFI
>>>>>> motherboard? If so, he may switch to SL.
>>>>>>
>>>>>
>>>>> Yes as long as "secure boot" is disabled .
>>>>>
>>>>>
>>>>>> Yasha Karant
>>>>>>
>>>>>>
>>>>> -connie sieh
>>>>>
>>>>
>>>
>>> --001a11c379ecc5abcb04e7297e9d
>>> Content-Type: text/html; charset="ISO-8859-1"
>>> Content-Transfer-Encoding: quoted-printable
>>>
>>> <div dir=3D"ltr"><div><div><div>Down, boy.<br><br></div>Scientific
>>> Linux is=
>>> behind the times on available tools, because our favorite upstream
>>> vendor =
>>> has not yet released tools. Tools to work with have been tested,
>>> effectivel=
>>> y, with Fedora, and I expect our favorite upstream vendor will include
>>> tool=
>>> s with release 7.x, which is not yet in alpha or beta release. Check
>>> out <a=
>>> href=3D"http://docs.fedoraproject.org/en-US/Fedora/18/html-single/UEFI_Sec=
>>>
>>> ure_Boot_Guide/index.html">http://docs.fedoraproject.org/en-US/Fedora/18/ht=
>>>
>>> ml-single/UEFI_Secure_Boot_Guide/index.html</a> for a good breakdown
>>> of the=
>>> issues and trade-offs.<br>
>>> <br></div>UEFI is part of the old "Palladium" project from
>>> Micros=
>>> oft, relabeled as "Trusted Computing". It is aimed squarely
>>> at DR=
>>> M and vendor lock-in, not security, for reasons that I could spend a
>>> whole =
>>> day discussing.In the meantime, yes, you can disalbe it for SL booting
>>> if n=
>>> eeded, and reasonably expect our favorite upstream vendor to have
>>> shims ava=
>>> ilable when version 7 is publishedL they're already working well
>>> with r=
>>> ecent Fedora releases. I'd also *expect* those shims to be
>>> workable for=
>>> SL 7, but someone may have to plunk down some cash to get some keys
>>> signed=
>>> , and spend some extra effort to maintain the security needed for the
>>> relev=
>>> ant shims to work well with SL kernels and environments.<br>
>>> </div></div><div class=3D"gmail_extra"><br><br><div
>>> class=3D"gmail_quote">O=
>>> n Tue, Sep 24, 2013 at 11:53 AM, Yasha Karant <span dir=3D"ltr"><<a
>>> href=
>>> =3D"mailto:[log in to unmask]"
>>> target=3D"_blank">[log in to unmask]</a>></=
>>> span> wrote:<br>
>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>> .8ex;border-left:1p=
>>> x #ccc solid;padding-left:1ex">Secure boot is enabled. =A0Evidently,
>>> the on=
>>> ly means to disable secure boot requires that a secure boot
>>> loader/configur=
>>> ation program be running -- e.g., the MS proprietary boot loader
>>> (typically=
>>> , supplied as part of MS Windows 8) must be used to disable secure
>>> boat if =
>>> the UEFI actually permits this to be disabled (I have heard of some
>>> UEFI im=
>>> plementations that do not permit secure boot truly to be disabled).<br>
>>>
>>> <br>
>>> If Linux cannot handle this issue, then Linux is finished on all
>>> generic (e=
>>> .g., not Apple that supplies both the hardware and operating
>>> environment so=
>>> ftware under a restrictive proprietary for-profit intellectual
>>> property lic=
>>> ense) X86-64 hardware, as (almost?) all current such hardware is MS 8
>>> (UEFI=
>>> secure boot) compliant.<br>
>>>
>>> <br>
>>> Yasha Karant<br>
>>> <br>
>>> On 09/23/2013 10:29 PM, Connie Sieh wrote:<br>
>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>> .8ex;border-left:1p=
>>> x #ccc solid;padding-left:1ex">
>>> On Mon, 23 Sep 2013, Yasha Karant wrote:<br>
>>> <br>
>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>> .8ex;border-left:1p=
>>> x #ccc solid;padding-left:1ex">
>>> A colleague who uses SuSE non-enterprise for his professional<br>
>>> (enterprise) workstations has now attempted to load the latest SuSE on
>>> a<br=
>>>>
>>> machine with a new generic (aftermarket) "gamer" UEFI
>>> =A0X86-64<b=
>>> r>
>>> motherboard. =A0It does not properly boot. =A0I do not have any UEFI<br>
>>> motherboards, and thus no experience with SL6x on such motherboards.<br>
>>> </blockquote>
>>> <br>
>>> Is "secure boot" enabled in the UEFI ?<br>
>>> <br>
>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>> .8ex;border-left:1p=
>>> x #ccc solid;padding-left:1ex">
>>> <br>
>>> Does anyone? =A0Does SL6x boot correctly (and easily) on a UEFI<br>
>>> motherboard? =A0If so, he may switch to SL.<br>
>>> </blockquote>
>>> <br>
>>> Yes as long as "secure boot" is disabled .<br>
>>> <br>
>>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
>>> .8ex;border-left:1p=
>>> x #ccc solid;padding-left:1ex">
>>> <br>
>>> Yasha Karant<br>
>>> <br>
>>> </blockquote>
>>> <br>
>>> -connie sieh<br>
>>> </blockquote>
>>> </blockquote></div><br></div>
>>>
>>> --001a11c379ecc5abcb04e7297e9d--
>>>
>
|
