Recent Posts3951
General Software Discussion / Re: Is RedHat willing to concede too much to Micorosoft? Linus Torvalds thinks so.
« Last post by 40hz on March 03, 2013, 09:11 PM »@Deo- The Linux Action Show podcast had a recent segment on this which may help explain more of what it's all about - and why Linus reacted the way he did. Podcast page is here. The discussion starts around the 20 minute mark.
There's also a link to a Reddit that summarizes a little better what the issue is:
What he is arguing is that it's pointless and stupid for the Linux kernel developers to put a huge amount of rather nasty code into the kernel in order to accept the way Microsoft signs kernel driver binaries.
UEFI with secure boot allows both users and hardware makers to lock down the machine in different ways via the bootloader. The firmware (code embedded into the mainboard) can be made to only accept cryptographically signed bootloaders. (this signing allows them to know were the bootloader comes from).
The bootloaders can be made then to only accept signed kernels.
The signed kernels can be made to only accept signed kernel modules, which can include drivers for hardware.
So this patch is designed to make is so that the kernel can be made to accept Microsoft signed modules.
The way Microsoft has set things up is that they will only sign modules that conform to the format used by embedded Windows.
So the kernel, with these patches, will be able to take the windows-format, check it, convert it to a format the kernel can use and load it.
Linus contends this is stupid and pointless because the kernel already has proper support for signed kernel modules. If people want to use signed kernel modules they can use that and skip the whole Microsoft bullshit.
The counter argument is that there exists nobody but Microsoft that is willing to maintain a certificate authority (used to do the official signing) AND that Microsoft keys are already used by hardware. If you want to use the X.509 certification system (think: SSL certs) that the Linux kernel supports then you will first need to setup a organization to manage the certificates, get their public key (the portion that tests the signatures for correctness) embedded in the kernel so that people can use it. And even then if you want to be able to sign binaries in a way that is acceptable by UEFI right now you'd still have to go through Microsoft and then develop a way to convert the Microsoft signatures to x.509 signatures that the kernel knows and understands. This is going to be difficult to pull off.
Linus fundamentally believes that kernel signing already exists and if that can't be used by people because they want to ship proprietary kernel modules then that is their problem. They will have to maintain the code and the kernel versions to do that crap and that is not something he is will to do or force others in the kernel community to deal with the burden of maintaining all that stuff.
This is mostly a issue with embedded development. If you are smart and buy hardware that is open and allows you to manage the keys yourself then you can have the benefit of having cryptographically signed kernels and drivers for security, but without all the business of dealing with Microsoft. That is when that stuff gets made and used... this stuff isn't widespread yet.
Hope this clarifies things a bit.
) - I have to say I started to enjoy the film even after that all to brief interlude with Paz.
)
