FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 07-02-2012, 04:42 PM
Steve McIntyre
 
Default EFI in Debian

Hey folks,

As you might have seen from recent discussions about the Fedora and
Ubuntu strategies for how to deal with EFI and Secure Boot, there are
potentially major issues in the area. In Debian we don't (yet) have a
plan, so it's high time that we had some discussion. I've set up a BoF
at DebConf for this:

https://penta.debconf.org/penta/schedule/dc12/event/925.en.html

That's Monday 9th July, 15:00 local time (21:00 UTC).

--
Steve McIntyre, Cambridge, UK. steve@einval.com
Google-bait: http://www.debian.org/CD/free-linux-cd
Debian does NOT ship free CDs. Please do NOT contact the mailing
lists asking us to send them to you.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120702164213.GC12639@einval.com">http://lists.debian.org/20120702164213.GC12639@einval.com
 
Old 07-02-2012, 10:21 PM
Stefano Zacchiroli
 
Default EFI in Debian

On Mon, Jul 02, 2012 at 05:42:13PM +0100, Steve McIntyre wrote:
> As you might have seen from recent discussions about the Fedora and
> Ubuntu strategies for how to deal with EFI and Secure Boot, there are
> potentially major issues in the area. In Debian we don't (yet) have a
> plan, so it's high time that we had some discussion. I've set up a BoF
> at DebConf for this:
>
> https://penta.debconf.org/penta/schedule/dc12/event/925.en.html
>
> That's Monday 9th July, 15:00 local time (21:00 UTC).

Hi Steve, thanks for taking care of that. We're indeed a bit late in our
reflections on this matter and we should come up with a plan for both
Wheezy (if still feasible?) and the future. I unfortunately won't be
able to make it for the BoF, as I've to leave shortly after DebCamp. But
I encourage everyone to participate in the BoF and please work on a
report or minutes so that we can have a discussion on list (either here
or on -boot) afterwards.

For those who are not familiar with the crux of secure boot, here are a
few recent references on the matter:

- Fedora's plans http://mjg59.dreamwidth.org/12368.html
- Ubuntu's plans
http://blog.canonical.com/2012/06/22/an-update-on-ubuntu-and-secure-boot/
(with a more technical discussion of it at
https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html )
- FSF's paper
http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web

Cheers.
--
Stefano Zacchiroli zack@{upsilon.cc,pps.jussieu.fr,debian.org} . o .
Maître de conférences ...... http://upsilon.cc/zack ...... . . o
Debian Project Leader ....... @zack on identi.ca ....... o o o
« the first rule of tautology club is the first rule of tautology club »
 
Old 07-04-2012, 12:13 PM
Tanguy Ortolo
 
Default EFI in Debian

Steve McIntyre, 2012-07-02 18:42+0200:
> As you might have seen from recent discussions about the Fedora and
> Ubuntu strategies for how to deal with EFI and Secure Boot, there are
> potentially major issues in the area. In Debian we don't (yet) have a
> plan, so it's high time that we had some discussion. I've set up a BoF
> at DebConf for this:

I cannot attend, but hoping it can be useful, here are some pointers to
things I wrote some time ago on this subject.

A blog post explaining how to set up Debian to boot via UEFI:
http://tanguy.ortolo.eu/blog/article51/debian-efi
A message to this list detailing the UEFI boot procedure and what is
required to support it:
<je7174$b6p$1@dough.gmane.org>
http://lists.debian.org/debian-devel/2012/01/msg00168.html

--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jt1c0d$qn1$1@dough.gmane.org
 
Old 07-04-2012, 12:51 PM
Tanguy Ortolo
 
Default EFI in Debian

Tanguy Ortolo, 2012-07-04 14:13+0200:
> A blog post explaining how to set up Debian to boot via UEFI:
> http://tanguy.ortolo.eu/blog/article51/debian-efi
> A message to this list detailing the UEFI boot procedure and what is
> required to support it:
> <je7174$b6p$1@dough.gmane.org>
> http://lists.debian.org/debian-devel/2012/01/msg00168.html

(basically, we already have everything needed to boot via UEFI (not with
SecureBoot of course, though), only the Debian installer does not
support it)

--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu>
| `-' Debian Developer <irc://irc.oftc.net/Tanguy>
\_


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jt1e7k$fik$1@dough.gmane.org
 
Old 07-05-2012, 08:12 PM
Steve McIntyre
 
Default EFI in Debian

Tanguy wrote:
>Steve McIntyre, 2012-07-02 18:42+0200:
>> As you might have seen from recent discussions about the Fedora and
>> Ubuntu strategies for how to deal with EFI and Secure Boot, there are
>> potentially major issues in the area. In Debian we don't (yet) have a
>> plan, so it's high time that we had some discussion. I've set up a BoF
>> at DebConf for this:
>
>I cannot attend, but hoping it can be useful, here are some pointers to
>things I wrote some time ago on this subject.
>
>A blog post explaining how to set up Debian to boot via UEFI:
> http://tanguy.ortolo.eu/blog/article51/debian-efi
>A message to this list detailing the UEFI boot procedure and what is
>required to support it:
> <je7174$b6p$1@dough.gmane.org>
> http://lists.debian.org/debian-devel/2012/01/msg00168.html

Cool, thanks for the pointers. If you can make it, please try to join
the session via video and irc?

--
Steve McIntyre, Cambridge, UK. steve@einval.com
Google-bait: http://www.debian.org/CD/free-linux-cd
Debian does NOT ship free CDs. Please do NOT contact the mailing
lists asking us to send them to you.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: E1SmsQ0-0005px-46@mail.einval.com">http://lists.debian.org/E1SmsQ0-0005px-46@mail.einval.com
 
Old 07-06-2012, 02:27 AM
Theodore Ts'o
 
Default EFI in Debian

On Wed, Jul 04, 2012 at 12:51:01PM +0000, Tanguy Ortolo wrote:
> Tanguy Ortolo, 2012-07-04 14:13+0200:
> > A blog post explaining how to set up Debian to boot via UEFI:
> > http://tanguy.ortolo.eu/blog/article51/debian-efi
> > A message to this list detailing the UEFI boot procedure and what is
> > required to support it:
> > <je7174$b6p$1@dough.gmane.org>
> > http://lists.debian.org/debian-devel/2012/01/msg00168.html
>
> (basically, we already have everything needed to boot via UEFI (not with
> SecureBoot of course, though), only the Debian installer does not
> support it)

James Bottomly has been doing some work to support Secure Boot. See:

http://lwn.net/Articles/503820/

His work was done specifically to help other community distributions
beyond Ubuntu and Fedora. We (the LF Technical Advisory Board) are
currently investigating if there is more the LF can do to support
distributions. We're not in the position to promise anything just
yet, but if Debian has any suggestions of things that you might like,
do please let me know.

Regards,

- Ted


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120706022737.GA9783@thunk.org">http://lists.debian.org/20120706022737.GA9783@thunk.org
 
Old 07-06-2012, 04:32 AM
Ben Hutchings
 
Default EFI in Debian

On Thu, 2012-07-05 at 22:27 -0400, Theodore Ts'o wrote:
> On Wed, Jul 04, 2012 at 12:51:01PM +0000, Tanguy Ortolo wrote:
> > Tanguy Ortolo, 2012-07-04 14:13+0200:
> > > A blog post explaining how to set up Debian to boot via UEFI:
> > > http://tanguy.ortolo.eu/blog/article51/debian-efi
> > > A message to this list detailing the UEFI boot procedure and what is
> > > required to support it:
> > > <je7174$b6p$1@dough.gmane.org>
> > > http://lists.debian.org/debian-devel/2012/01/msg00168.html
> >
> > (basically, we already have everything needed to boot via UEFI (not with
> > SecureBoot of course, though), only the Debian installer does not
> > support it)
>
> James Bottomly has been doing some work to support Secure Boot. See:
>
> http://lwn.net/Articles/503820/
>
> His work was done specifically to help other community distributions
> beyond Ubuntu and Fedora. We (the LF Technical Advisory Board) are
> currently investigating if there is more the LF can do to support
> distributions. We're not in the position to promise anything just
> yet, but if Debian has any suggestions of things that you might like,
> do please let me know.

UEFI running in qemu is likely to be very useful for development of UEFI
support by the Debian installer and Debian CD teams.

Secure Boot is another matter, which I was planning to raise *after* the
release as it's controversial and I don't think we have time to do
anything about it for wheezy. But here's what I think we would need:

1. General consensus in the project that supporting the option of Secure
Boot, including purchase of a Microsoft-signed certificate, is
worthwhile and not entirely objectionable. (I am assuming that it would
be a waste of time to use our own platform key, as anyone who can work
out how to install that can also disable Secure Boot.)

2. Upstream kernel support: when booted in Secure Boot mode, Linux would
only load signed kernel modules and disable the various debug interfaces
that allow code injection. I'm aware that David Howells, Matthew
Garrett and others are working on this.

3. A suitable free boot loader: when booted in Secure Boot mode it would
only load signed EFI executables. There seem to be several projects
under way to do this.

4. EFI code signing tool. Matthew Garrett seems to have that in hand.

5. Key management policy. Similar issues to archive signing keys, but
these keys also need to be available at build time. (a) Should they be
held by package maintainers and/or the auto-builders for the relevant
architectures? (b) sbuild and/or pbuilder will need to know how to
inject them into the build environment for the relevant packages. (c)
How do we handle key replacement when exploitable code needs to be
blacklisted?

6. User documentation: users need to be informed that when running Linux
under Secure Boot some major features are disabled, and that they have
the option to turn it off. (Or install their own platform key.)

So, returning to your question: I think that LF may be able to help with
5(c), 6, and perhaps 3 (encouraging more coordinated development).

Ben.

--
Ben Hutchings
When in doubt, use brute force. - Ken Thompson
 
Old 07-06-2012, 08:14 AM
Josselin Mouette
 
Default EFI in Debian

Le vendredi 06 juillet 2012 Ã* 05:32 +0100, Ben Hutchings a écrit :
> 1. General consensus in the project that supporting the option of Secure
> Boot, including purchase of a Microsoft-signed certificate, is
> worthwhile and not entirely objectionable.

Not entirely objectionable indeed, but it really depends on what we
would have to pay for. As long as it is only covering for
administrative costs of Microsoft emitting a new certificate, it is
fine. If OTOH we have to pay a fee just for our software to work on
platforms that just happen to be using Microsoft’s certificate, this is
clearly abusive. I would object to do so, and I believe we would (at
least in Europe) have a very strong case in court against such practice.

--
.'`. Josselin Mouette
: :' :
`. `'
`-


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1341562441.21607.269.camel@pi0307572
 
Old 07-06-2012, 11:41 AM
Carlos Alberto Lopez Perez
 
Default EFI in Debian

On 06/07/12 06:32, Ben Hutchings wrote:
> 1. General consensus in the project that supporting the option of Secure
> Boot, including purchase of a Microsoft-signed certificate, is
> worthwhile and not entirely objectionable. (I am assuming that it would
> be a waste of time to use our own platform key, as anyone who can work
> out how to install that can also disable Secure Boot.)
>

This are the FSF recommendations:

http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web



Regards!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
Carlos Alberto Lopez Perez http://neutrino.es
Igalia - Free Software Engineering http://www.igalia.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
 
Old 07-06-2012, 03:07 PM
Paul Wise
 
Default EFI in Debian

On Fri, Jul 6, 2012 at 5:41 AM, Carlos Alberto Lopez Perez wrote:

> This are the FSF recommendations:
>
> http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/whitepaper-web

These seem much more in line with the Debian social contract than any
the actions of other distributions or of the suggestions we have had.

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAKTje6GDau-v4bB4xwwPcGSPn0NEOFPR0O4vFzeGQCxQXJDRyQ@mail.gmail .com">http://lists.debian.org/CAKTje6GDau-v4bB4xwwPcGSPn0NEOFPR0O4vFzeGQCxQXJDRyQ@mail.gmail .com
 

Thread Tools




All times are GMT. The time now is 06:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org