[Nix-dev] [nixos] The necessity of UEFI Secure Boot
Kirill Elagin
kirelagin at gmail.com
Tue May 27 08:50:35 CEST 2014
In short: all the bootloaders are signed by Microsoft. At least in
“mainstream” distributions.
UEFI is definitely a cool thing. But there are decisions to be made before
implementing its support in a distribution. So, yeah, I hope the discussion
will be started.
As a first step, NixOS can probably assume that it is used by power-users,
who own their Platform Keys.
--
Кирилл Елагин
On Tue, May 27, 2014 at 9:26 AM, Wout Mertens <wout.mertens at gmail.com>wrote:
> So grub doesn’t work? I thought it did?
>
> I saw that the Surface Pro 3 is a Secure Booting UEFI device... It would
> make a nice NixOS laptop :-)
>
> Also, the Ubuntu boot loader is apparently signed by Microsoft.
>
> Just random thoughts sorry.
>
> Wout.
> On May 26, 2014 2:44 PM, "Third3ye" <tredje0ye at gmail.com> wrote:
>
>> Personally I had to disable UEFI secure boot by using the "other OS"
>> option... something which can cause severe problems for then again gaining
>> access to the operating system, if the UEFI software completely dumps the
>> KEKs. I was lucky and somehow got back in without having to resort to using
>> a recovery USB stick. But I'm assuming this maybe a problem for other users
>> and seeing that more and more machines are released using UEFI and Secure
>> Boot I feel this needs to be addressed.
>>
>> Since, however, it's out of my league I can only request that it be taken
>> into consideration that shim should take over as the default UEFI solution.
>> If not there is another solution called rf boot... rl boot? I can't
>> remember. But here are a few articles that explain that it is not only
>> possible but also necessary. How we approach such a problem... well, like I
>> said: out of my league.
>>
>> Here is a rather large article about the issue of implementing UEFI
>> Secure Boot in Linux.
>>
>> *"The Growing Role of UEFI Secure Boot in Linux Distributions*"
>>
>>
>> http://www.linuxjournal.com/content/growing-role-uefi-secure-boot-linux-distributions<http://?view=att&th=146388fa8de8cb56&attid=0.0.1.1&disp=emb&zw&atsh=0>
>>
>> For those of you who maybe conscerned that UEFI secure boot is
>> challanging the presence of FOSS operating systems the Linux Foundation
>> released a document stating why these fears are not accurate.
>>
>> *"Making UEFI Secure Boot Work With Open Platforms*"
>>
>>
>> https://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf<http://?view=att&th=146388fa8de8cb56&attid=0.0.1.2&disp=emb&zw&atsh=0>
>>
>> Conclusion of the article from The Linux Foundation:
>>
>> *"The UEFI secure boot facility is designed to be readily usable by both
>> proprietary and open operating systems to improve the security of the
>> bootstrap process. Some observers have expressed concerns that secure boot
>> could be used to exclude open systems from the market, but, as we have
>> shown above, there is no need for things to be that way. If vendors ship
>> their systems in the setup mode and provide a means to add new KEKs to the
>> firmware, those systems will fully support open operating systems while
>> maintaining compliance with the Windows 8 logo requirements. The
>> establishment of an independent certificate authority for the creation of
>> KEKs would make interoperation easier, but is not necessary for these
>> platforms to support open** systems**.*
>>
>>
>> Thank you for your concern, now back to the Wiki work...
>>
>> Cheers!
>> Signed Third3ye
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140527/9975c1a6/attachment.html
More information about the nix-dev
mailing list