Quite off-topic but not so much seeing how many messages were allowed on this:
-As a Greek I can tell you that "demagogue" has definitely a negative tone and includes manipulation of crowds
-It is also not a strong insult, I assume nobody would fight over getting called "prejudiced" for example
-I'm not aware how the word is used internationally 😉
wrote:wrote:Pretty sure chains of trust don't need a network connection to validate as long as the chain is intact and present.
They do if certificates can be revoked, which is the case for SSL.
True and this is one of the limitations of SSL root CAs operating in disconnected mode (which they do all the time).
wrote:There's no point in having a chain when you need all parts of the chain present anyway.
There is if you can further decentralize the infrastructure.
All hail the Great Capacitor Brand Finder
wrote:There is if you can further decentralize the infrastructure.
How do you propose this is going to work then?
I tried to explain why it doesn't, but you don't seem to accept that explanation. Yet you do not explain how the (technical) limitations I mention can be avoided.
Of course I could be blunt and say that the people involved in the UEFI Forum are industry experts, and if there was a way they certainly would have implemented it. The limitation I mention is actually documented. It's not an oversight. So if they couldn't find a solution, it's unlikely that you will.
But I'll humour you and give you the benefit of the doubt. So please explain.
The situation is this:
1) You have an UEFI environment with a number of keys in the keystore that can be used to validate bootloaders, using the common concept of public/private key encryption.
2) You get one or more bootloaders on the boot media which is signed by some key.
3) The bootloader needs to be validated before it can be executed.
Instead of having the bootloader signed by one of the private keys which correspond to the public keys in the KEK or PK, a certificate is signed such that it can be validated by one of those public keys. This certificate can in turn be used to sign a UEFI payload (kernel, bootloader, or whatever) or another certificate. Any intermediate certificates could be included with the payload just as a single set of certificate data is currently included with secure boot. Of course, any signature in the DBX would be rejected.
I don't know if UEFI implementations are currently configured to parse certificate chains from the payload and not just the KEK database or if they're hard coded to only handle a single certificate. That's the practical stumbling block I see. The rest, getting players on board, is primarily political.
wrote:Of course I could be blunt and say that the people involved in the UEFI Forum are industry experts, and if there was a way they certainly would have implemented it. The limitation I mention is actually documented. It's not an oversight. So if they couldn't find a solution, it's unlikely that you will.
Yeah, they're certainly pros, but there have been lots of teething troubles that tend to go along with such a complex system (hello, Lenovo), so they're definitely not invincible. It's possible that the forum membership didn't see the need to incorporate any further sophistication in their trust mechanism, although my reading of the capabilities of secure boot lead me to think the required changes wouldn't be too great. Supporting x509 and ASN1 opens a lot of doors.
All hail the Great Capacitor Brand Finder
wrote:Instead of having the bootloader signed by one of the private keys which correspond to the public keys in the KEK or PK, a certificate is signed such that it can be validated by one of those public keys. This certificate can in turn be used to sign a UEFI payload (kernel, bootloader, or whatever) or another certificate. Any intermediate certificates could be included with the payload just as a single set of certificate data is currently included with secure boot. Of course, any signature in the DBX would be rejected.
That's the problem right there:
You are including the certificate with the very package that you want to validate.
There's a conflict of interest there. Especially since there's no way to revoke anything without an internet connection.
The method you suggest has an obvious weakness:
Instead of having to sign with an actual key that is installed in the UEFI, you merely have to forge a certificate that can be validated by one of the known keys. Then your fake certificate can provide any key to validate the actual payload.
So instead of validating the payload, you now only validate a certificate. That's a much simpler, fixed target to forge than an actual bootloader.
wrote:you merely have to forge a certificate that can be validated by one of the known keys. Then your fake certificate can provide any key to validate the actual payload.
That's computationally not a small task so it's no glaring weakness. Additions to the DBX can be handled by a standardized UEFI update capsule (appropriately signed), so masking certificates is substantially easier than a full firmware patch.
All hail the Great Capacitor Brand Finder
wrote:That's computationally not a small task so it's no glaring weakness.
The current Microsoft key has been in use since 2012, so people have had about 7 years to bruteforce it now.
wrote:Additions to the DBX can be handled by a standardized UEFI update capsule (appropriately signed), so masking certificates is substantially easier than a full firmware patch.
There is already a mechanism in place to add keys to the UEFI keystore. There's no need to patch firmware.
wrote:The current Microsoft key has been in use since 2012, so people have had about 7 years to bruteforce it now.
Then what the hell are we talking about, here. If they can forge the signature on a certificate, they can forge the signature on a bootloader (or more to the point, an illicit hypervisor).
wrote:There is already a mechanism in place to add keys to the UEFI keystore. There's no need to patch firmware.
I'm suggesting the easiest way to do it is with a UEFI application as that's the platform which will always be available. Whatever method people choose, it can definitely be done. Having said that, I'm not suggesting this be done in cavalier fashion. Even on networked infrastructure revoking keys is a real pain, so care should be taken with anyone who submits a request.
That or just mandate that setup mode be available for the use of personal, company, project keys, etc.
All hail the Great Capacitor Brand Finder
wrote:Then what the hell are we talking about, here. If they can forge the signature on a certificate, they can forge the signature on a bootloader (or more to the point, an illicit hypervisor).
But that would be much more difficult, because it's not a fixed target.
I think I only have one PC running windows 7 and the reason is video performance, the GMA 3100 is very bad on windows 10 with high CPU usage by DWM, while on 7 it's lower with Aero and non existent with it turned off, other that that I don't really see a reason to stick with 7 for so long,
for this PC I'll try using it like it is on 10, the CPU is a quad core so it doesn't completely kill performance I guess, but if it gets too annoying I'll add some video card.
but, I never had any problems with XP or 98 just doing basic things online, I wouldn't want to use 7 for sensitive stuff, but for gaming I wouldn't worry too much, apart from driver support and games support in general,
windows 10 can be annoying but it's windows, I just use a offline account, disable most of the default options (shutup10 is helpful), remove the "apps" from my start menu, never touch the cortana thing, uninstall onedrive, and it feels fine...
thee are lots of silly things like defaulting to some "App" style settings when it's much easier to solve on the old interface, but oh well, you can still mostly find the old interface.
wrote:I think I only have one PC running windows 7 and the reason is video performance, the GMA 3100 is very bad on windows 10 with hi […]
I think I only have one PC running windows 7 and the reason is video performance, the GMA 3100 is very bad on windows 10 with high CPU usage by DWM, while on 7 it's lower with Aero and non existent with it turned off, other that that I don't really see a reason to stick with 7 for so long,
for this PC I'll try using it like it is on 10, the CPU is a quad core so it doesn't completely kill performance I guess, but if it gets too annoying I'll add some video card.but, I never had any problems with XP or 98 just doing basic things online, I wouldn't want to use 7 for sensitive stuff, but for gaming I wouldn't worry too much, apart from driver support and games support in general,
windows 10 can be annoying but it's windows, I just use a offline account, disable most of the default options (shutup10 is helpful), remove the "apps" from my start menu, never touch the cortana thing, uninstall onedrive, and it feels fine...
thee are lots of silly things like defaulting to some "App" style settings when it's much easier to solve on the old interface, but oh well, you can still mostly find the old interface.
It would be questionable why those things shouldn't be configured that way at first, as default option, instead of having activated "features" often not uninstallable without external apps I may or not really sure if I could trust or not beside doing what they are suppose to do. That was one of the main point of the previous pages discussions when o.s./software etc has changed so much like anything else on the digital market, everything is a service not a product anymore.
About the GMA3100, I may be wrong but I think there was an old single beta (?) 32bit drivers (there was a youtube video of a user having installed it on Win 8.x or similar) that may (never tried, searched it or its existence and don't even know the version number) be somehow maybe compatible for these new o.s.? For Linux there's a default 2D gma500 DRI driver for all the PowerVR GMA versions that works quite well in the 2D desktop LxQT and use a software renderer for OpenGL but I am not sure about all the not lxde/lxqt GUI linux version.
wrote:About the GMA3100, I may be wrong but I think there was an old single beta (?) 32bit drivers (there was a youtube video of a user having installed it on Win 8.x or similar) that may (never tried, searched it or its existence and don't even know the version number) be somehow maybe compatible for these new o.s.?
Yes, Windows 7 drivers can be used in Windows 8.x and 10.
I have an old laptop with a GMA X3100, where I do this as well. Windows 10 does have a working default driver for it (which is actually a Win8.x driver), but it does not include OpenGL support. So I installed the latest Windows 7 driver instead, and that made OpenGL work perfectly. It may also have better performance overall and perhaps more features than the default Win10 driver, but I never really looked into that.
So you could just look for the latest Windows 7 driver for the GMA3100 on Intel's Download Center, and try installing that in Windows 10 to see if that improves things.
wrote:Yes, Windows 7 drivers can be used in Windows 8.x and 10. I have an old laptop with a GMA X3100, where I do this as well. Window […]
wrote:About the GMA3100, I may be wrong but I think there was an old single beta (?) 32bit drivers (there was a youtube video of a user having installed it on Win 8.x or similar) that may (never tried, searched it or its existence and don't even know the version number) be somehow maybe compatible for these new o.s.?
Yes, Windows 7 drivers can be used in Windows 8.x and 10.
I have an old laptop with a GMA X3100, where I do this as well. Windows 10 does have a working default driver for it (which is actually a Win8.x driver), but it does not include OpenGL support. So I installed the latest Windows 7 driver instead, and that made OpenGL work perfectly. It may also have better performance overall and perhaps more features than the default Win10 driver, but I never really looked into that.
So you could just look for the latest Windows 7 driver for the GMA3100 on Intel's Download Center, and try installing that in Windows 10 to see if that improves things.
Still is it the 32bit version only right? Just curious cause I'm quite a fan of the Atom D2500 soc and I may try it in the future with Win8.1. I imagine for what I've seen around the 3D performance were far from good anyway even in the best os/drivers scenario. Too bad considering all the great old Kyro II memories I had on the old desktops gpu in the future I'll end up only remembering all the problems these new low power smartphone oriented gpu I've read and tried myself about.
there are working drivers for GMA950/3100, windows update on 10 installs it by default, but as mentioned it lacks OpenGL (and forcing windows 7 and older drivers didn't fix it for me), it works with both 64 and 32bits the same
but it's a WDDM 1.0 driver and I think that's what causes the high CPU usage and poor interface performance, the funny thing is that using the generic MS driver makes the interface feels smoother than the Intel driver, but the Intel driver works better for whatever games it can run and playing videos still,
x3000 series are a lot better for win 10 from what I tested, tit hasl WDDM 1.1 drivers and don't suffer with the super high CPU usage to any comparable extent.
but still, even Sandy Bridge (HD3000) lacks OpenGL on windows 10 by default, only Ivy Bridge (HD4000) got proper windows 10 support.
linux on GMA950/3100 is also not great, I tried lots of things and failed to get a "perfect" experience in terms of watching HD videos, I always ended with some stutter or tearing, and it artifacts on the game I tried which works fine under windows (HL mod Day of Defeat on steam).
wrote:Still is it the 32bit version only right?
No, I use the x64 version.
wrote:there are working drivers for GMA950/3100, windows update on 10 installs it by default, but as mentioned it lacks OpenGL (and fo […]
there are working drivers for GMA950/3100, windows update on 10 installs it by default, but as mentioned it lacks OpenGL (and forcing windows 7 and older drivers didn't fix it for me), it works with both 64 and 32bits the same
but it's a WDDM 1.0 driver and I think that's what causes the high CPU usage and poor interface performance, the funny thing is that using the generic MS driver makes the interface feels smoother than the Intel driver, but the Intel driver works better for whatever games it can run and playing videos still,x3000 series are a lot better for win 10 from what I tested, tit hasl WDDM 1.1 drivers and don't suffer with the super high CPU usage to any comparable extent.
but still, even Sandy Bridge (HD3000) lacks OpenGL on windows 10 by default, only Ivy Bridge (HD4000) got proper windows 10 support.linux on GMA950/3100 is also not great, I tried lots of things and failed to get a "perfect" experience in terms of watching HD videos, I always ended with some stutter or tearing, and it artifacts on the game I tried which works fine under windows (HL mod Day of Defeat on steam).
Thanks. For linux I don't think there're many perfect solution configs when talking about hardware video decoding even with others gpu considering using official drivers (obviously) and some patches/browsers or some specific distro. Anyway I don't really care a lot about it cause I don't understand the "modern" need of ultra HD decoding @ 1% cpu usage when I can be ok on youtube with 480p with this dual core Atom software based webm decoder @ nice 30% to 50% usage on the active browser tab and much less in background/audio, passive heatsink @ 50°C @ 20W total power requirement. Also when I find that software accelerated web pages can somehow feel much faster than hardware accelerated opengl overlayed tiled gpu ones.
But still I understand this would be a very limited config for heavy apps.
wrote:wrote:Then what the hell are we talking about, here. If they can forge the signature on a certificate, they can forge the signature on a bootloader (or more to the point, an illicit hypervisor).
But that would be much more difficult, because it's not a fixed target.
I'm no cryptographer, so take this with a salt lick. However, to the best of my knowledge, this type of attack has not even been theoretically demonstrated short of implementation issues (PGP, NSA Bullrun and Dual_EC_DRBG, MD5). Quantum compute may change the calculus, but it's not capable enough yet.
In short, until the crypto algorithm used becomes computationally vulnerable, I consider this criticism to be unconcerning. Once that happens, the possibility of a full break becomes increasingly plausible and a new generation of keys will be called for.
Nonetheless, availability of Setup mode would be best. It would allow all the Gentoo and Arch guys to boot directly into custom EFI applications with all the advantages of Secure Boot (once the key store is loaded).
All hail the Great Capacitor Brand Finder
wrote:Nonetheless, availability of Setup mode would be best. It would allow all the Gentoo and Arch guys to boot directly into custom EFI applications with all the advantages of Secure Boot (once the key store is loaded).
Exactly what are you proposing with "Setup mode"?
Keys can already be loaded to the store from software, as explained in the Gentoo wiki I linked to earlier.
This could be an automated process if it were just scripted onto some bootable media.
I asked you to explain your idea, but so far you haven't. I still have no idea what exactly it is that you're proposing, and how exactly it would be different from what is already there (aside from the fact that as far as I know, the Gentoo people didn't actually bother to write that automated script for the operations described in their wiki. Then again, spoonfeeding users with pre-fab software is not exactly the Gentoo-way, now is it?)
I know what I won't do again ... more updates 🤣
I am shocked with the size of the operating system each version. Just created a few VMs with win 2k, 7 and 10.
7 and 10 holds more than 10GB; 2k is less than 1GB. That is, the size of each VM, because 7 and 10 have both dynamic disks of 60GB, and for 2k I gave 32GB since I wanted to install some games later on.
Seriously... I think that every year the developers and programmers are being much more lazy than before.
"Design isn't just what it looks like and feels like. Design is how it works."
JOBS, Steve.
READ: Right to Repair sucks and is illegal!
