DNA Lounge update

DNA Lounge update, wherein love for the city goes unrequited.


Tags: , , ,

"Secure Boot" and free software

Interesting, long post on how the hell Linux vendors make their product work now that MICROS~1 has enabled BIOS DRM.

(The tl;dr version: running a custom kernel on modern hardware just became rocket surgery.)

Fedora 18 will be released at around the same time as Windows 8, and as previously discussed all Windows 8 hardware will be shipping with secure boot enabled by default.

Most hardware you'll be able to buy towards the end of the year will be Windows 8 certified. That means that it'll be carrying a set of secure boot keys, and if it comes with Windows 8 pre-installed then secure boot will be enabled by default. This set of keys isn't absolutely fixed and will probably vary between manufacturers, but anything with a Windows logo will carry the Microsoft key. [...]

Secure boot is built on the idea that all code that can touch the hardware directly is trusted, and any untrusted code must go through the trusted code. This can be circumvented if users can execute arbitrary code in the kernel. So, we'll be moving to requiring signed kernel modules and locking down certain aspects of kernel functionality. The most obvious example is that it won't be possible to access PCI regions directly from userspace, which means all graphics cards will need kernel drivers. Userspace modesetting will be a thing of the past. Signed modules are obviously troubling from a user perspective. We'll be signing all the drivers that we ship, but what about out of tree drivers? We don't have a good answer for that yet. [...]

If I take a signed Linux bootloader and then use it to boot something that looks like an unsigned Linux kernel, I've instead potentially just booted a piece of malware. And if that malware can attack Windows then the signed Linux bootloader is no longer just a signed Linux bootloader, it's a signed Windows malware launcher and that's the kind of thing that results in that bootloader being added to the list of blacklisted binaries and suddenly your signed Linux bootloader isn't even a signed Linux bootloader. So kernels need to be signed.

Tags: , , , , ,

Nico Vega

Awesome show. How does such a huge voice come out of such a tiny pregnant lady?

I got a kick out of the "we're going to play an instrumental now because she has to pee" interlude.

People who liked Concrete Blonde, Le Butcherettes and PJ Harvey also enjoyed Nico Vega.

Tags: , , ,