> On the side note: it is Microsoft that signs one of Linux packages > now. We seem to have made one more step away from ?our? computers > being _our computers_. Am I wrong? >Secure booting using UEFI requires that the code is signed - that is the "secure" bit. Microsoft are the CA for that signing. There's nothing sinister about it, they aren't signing the RPM package just one of the bits of code in the package. I seem to remember that Microsoft were the most vocal advocates for secure booting to get around boot sector viruses and in order to facilitate a more universal uptake they committed to signing any UEFI boot code from other OSes so long as it came from a bona fide source. You don't have to use UEFI secure booting - most machines can fall back to legacy booting using BIOS settings. If you do that, you won't use any Microsoft signed code. I haven't looked in detail at the bug this all was supposed to fix, but I think it had the capability of by-passing the UEFI security checking, hence why the release of the advisory was delayed until the OSes were patched and why there was a scramble to get everything out in time. It's a nasty bug and was difficult to fix from what I've heard. P.
On Aug 2, 2020, at 14:43, Pete Biggs <pete at biggs.org.uk> wrote:> You don't have to use UEFI secure booting - most machines can fall back > to legacy booting using BIOS settings. If you do that, you won't use > any Microsoft signed code.Back in 2017, Intel said that it was going to deprecate the ?Legacy? CSM by 2020. They might have changed their schedule but I suspect we?ll start seeing hardware without anything but UEFI. -- Jonathan Billings <billings at negate.org>
Once upon a time, Jonathan Billings <billings at negate.org> said:> On Aug 2, 2020, at 14:43, Pete Biggs <pete at biggs.org.uk> wrote: > > You don't have to use UEFI secure booting - most machines can fall back > > to legacy booting using BIOS settings. If you do that, you won't use > > any Microsoft signed code. > > Back in 2017, Intel said that it was going to deprecate the ?Legacy? CSM by 2020. They might have changed their schedule but I suspect we?ll start seeing hardware without anything but UEFI.I believe that is still Intel's plan. However, as happens often, people are confusing UEFI and Secure Boot. UEFI is a replacement for the ages-old BIOS - Secure Boot is an extension to UEFI to create a "trusted" (for whatever that may mean) boot chain to get to the OS. You can have UEFI without having Secure Boot enabled (that's what I do on my systems). -- Chris Adams <linux at cmadams.net>