Comment Re:Doesn't work (Score 1) 274
Well, that's the point. Nothing you run before reboot will be able to run in the firmware, because it doesn't have the right signature.
Comment Re:How does this work? (Score 1) 274
No, only the first time you install a given key.
Comment Re:Fuck secure boot. (Score 1) 274
It must be possible to install your own keys, but that may be implemented by allowing you to clear the platform key and switch back to setup mode.
Comment Re:How does this work? (Score 2) 274
It'll only boot grub if grub is signed with a key that a physically present user has manually enrolled. If you choose to enrol a key that's been used to sign a grub that'll then boot anything (including viruses) then you're vulnerable, but such a virus would only be able to infect systems with that key installed - anyone who hasn't installed that key still gets the protection.
Comment Re:Making No Sense (Score 4, Informative) 274
Given that I've been working with the Microsoft people who manage the signing for the best part of a year now, I'm pretty sure they know who I am and what I was getting signed.
Comment Re:Doesn't work (Score 4, Informative) 274
If your system currently has Windows 8 installed, then do this:
1) Insert the install media
2) Mouse to the bottom right
3) Select "Settings"
4) Click "Power"
5) While holding down shift, click "Restart"
6) Click "Use a device"
7) Click your install media
This is a little more involved than ideal, but it's got the huge benefit that it's consistent between systems rather than requiring you to use different hotkeys for different platforms.
Comment Re:Fuck secure boot. (Score 5, Informative) 274
"With a UEFI Secure Boot that requires a Microsoft signed key, how does one generate a self-signed key that works?"
openssl req -new -nodes x509 -outform DER -out sig.crt -keyout signing_key.priv
And then enrol it with mokutil or MokManager from shim.
Submission + - Secure Bootloader for Distributions Now Available (dreamwidth.org)
TrueSatan writes: Matthew Garrett, formerly of Red Hat, is providing a shim bootloader that will allow installation/booting of secure boot enabled computers. The shim is designed to chain boot GRUB (Grand Universal Bootloader) without the need for a distribution to obtain a key from Microsoft.
Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product.
Garrett asks that further contacts regarding the shim be made to him and not to Red Hat as he no longer works there and they may not have knowledge of the product.
Submission + - Microsoft's Controvercial Magic Constant For HyperV (muktware.com)
sfcrazy writes: Who said Microsoft developers don't have a sense of humor. Even if that humor is sexist. Our own Matthew Garrett, UEFI secure boot fame, has posted a blog about the magic constant Microsoft used in its HyperV code.
Matthew writes: Paolo Bonzini noticed something a little awkward in the Linux kernel support code for Microsoft's HyperV virtualisation environment — specifically, that the magic constant passed through to the hypervisor was "0xB16B00B5", or, in English, "BIG B**BS". It turns out that this isn't an exception — when the code was originally submitted it also contained "0x0B00B135". That one got removed when the Xen support code was ripped out.
Matthew writes: Paolo Bonzini noticed something a little awkward in the Linux kernel support code for Microsoft's HyperV virtualisation environment — specifically, that the magic constant passed through to the hypervisor was "0xB16B00B5", or, in English, "BIG B**BS". It turns out that this isn't an exception — when the code was originally submitted it also contained "0x0B00B135". That one got removed when the Xen support code was ripped out.
Comment Re:What is Garrett not saying? (Score 1) 437
Malware doesn't have a key in KEK, so it can't.
Comment Re:What is Garrett not saying? (Score 1) 437
Keys can be revoked through OS updates. Check the UEFI spec for discussion of authenticated variables and dbx.
Comment "not a guaranteed right" (Score 4, Insightful) 437
As the author of the linked article, things have somewhat changed since then - the language in the hwcert docs makes it clear that the hardware can be configured into a state where keys can be added. Is it a guarantee? No, but it's as close as is possible to get in the technology world.
Submission + - Windows 8 Logoed PCs to Block Linux Booting (itworld.com)
An anonymous reader writes: After years of trying to cut off Linux growth as a desktop platform on x86 and x64 PCs, Microsoft may have actually figured out a way to stop Linux deployments on client PCs dead in its tracks: requiring all OEMs to implement hardened EFI booting, blocking unsigned Linux distros.
Submission + - How Microsoft can lock Linux off W8 PCs (networkworld.com) 3
Julie188 writes: "Windows 8 PCs will use the next-generation booting specification known as Unified Extensible Firmware Interface (UEFI). And actually Windows 8 logo devices will be required to use the secure boot portion of the new spec. Secure UEFI is intended to thwart rootkit infections by using PKI authentication before allowing executables or drivers to be loaded onto the device. Problem is, unless the device manufacturer gives a key to the device owner, it can also be used to keep the PC's owner from wiping out the current OS and installing another option, such as Linux."
Comment Re:Android is not GPL (Score 1) 198
"Right and if the modifications have absolutely nothing to do with the kernel or drivers then there is no obligation."
No. You must provide either the source or a written offer to provide the source to any third party on request regardless of whether you've modified the GPLed material or not.
