• Torvalds clarifies Linux's Windows 8 Secure Boot position

          
    av
    Rune.K
    Betygsätt den här artikeln
    Publicerad 2013-02-28 21:54      Antal visningar: 346  
    1 Kommentar Kommentarer
    Summary: The fuss over how to handle Windows 8 PC's Secure Boot keys in desktop Linux continues and Linus Torvalds spells out how he wants to see it handled.

    No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs. But, how Linux should handle the fixes required to deal with this problem remains a hot-button issue. Now, as the debate continues hot and heavy, Linus Torvalds, Linux's founder and de facto leader, spells out how he thinks Linux should deal with Secure Boot keys.

    Torvalds was mad as hell with proposals to place Secure Boot keys and their management into the Linux kernel itself. Torvalds called the idea "moronic."

    That said, there still needs to be some way to deal with the necessary evil of Secure Boot key management. Or, does there?

    Part of the concern driving the desire to manage Secure Boot at a low-level in Linux is that a Microsoft-signed, Linux Secure Boot key might be used to hack systems. If that were to happen, some developers fear that Microsoft would disable the key. This would have the effect of disabling Linux PCs using that Secure Boot key. And, no one wants that.

    Läs hela artikeln.

    1. Kategorier:
    2. Artikelarkiv 2013
    Kommentarer 1 Kommentar
    1. Rune.Ks avatar
      Rune.K - 2013-02-28, 22:11
      Det här avsnittet gillar jag:
      And what does Torvalds himself think about all this? He's not happy. "Stop the fear mongering already."

      Torvalds then goes on, in his own take-no-prisoners style, to suggest a plan on how to deal with Secure Boot signed keys and modules, which "is based on REAL SECURITY and on PUTTING THE USER FIRST instead of your continual 'let's please Microsoft by doing idiotic crap' approach.' "
      Specifically:

      • A distro should sign its own modules AND NOTHING ELSE by default. And it damn well shouldn't allow any other modules to be loaded at all by default, because why the f*ck should it? And what the hell should a Microsoft signature have to do with *anything*?


      • Before loading any third-party module, you'd better make sure you ask the user for permission. On the console. Not using keys. Nothing like that. Keys will be compromised. Try to limit the damage, but more importantly, let the user be in control.