Repository :
http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : f18
---------------------------------------------------------------
commit bc3975e57fe989655fbae220514b19f1f67a58d5
Author: Eric Christensen <sparks(a)fedoraproject.org>
Date: Fri Jan 4 21:14:04 2013 -0500
Updated POT files
---------------------------------------------------------------
pot/Author_Group.pot | 4 +-
pot/Book_Info.pot | 4 +-
pot/Implementation_of_Secure_Boot.pot | 63 ++++++++++++++++++++++++++++++--
pot/Preface.pot | 4 +-
pot/Revision_History.pot | 19 +++++++++-
pot/UEFI_Secure_Boot_Guide.pot | 4 +-
pot/Using_your_own_keys.pot | 4 +-
pot/What_is_Secure_Boot.pot | 22 ++++++++---
8 files changed, 102 insertions(+), 22 deletions(-)
diff --git a/pot/Author_Group.pot b/pot/Author_Group.pot
index 811a8be..6e0d092 100644
--- a/pot/Author_Group.pot
+++ b/pot/Author_Group.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
diff --git a/pot/Book_Info.pot b/pot/Book_Info.pot
index ad1c854..c240d36 100644
--- a/pot/Book_Info.pot
+++ b/pot/Book_Info.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
diff --git a/pot/Implementation_of_Secure_Boot.pot
b/pot/Implementation_of_Secure_Boot.pot
index d0dca28..b162f6a 100644
--- a/pot/Implementation_of_Secure_Boot.pot
+++ b/pot/Implementation_of_Secure_Boot.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
@@ -19,11 +19,66 @@ msgstr ""
#. Tag: para
#, no-c-format
-msgid "Systems with UEFI Secure Boot enabled will ship with a set of
vendor-determined keys installed in the firmware. These keys include the ability to boot
from binaries signed by the signing service hosted by Microsoft. This feature includes
simultaneous support for two methods of booting under this scheme. Under the first scheme,
Fedora will utilize the signing service hosted by Microsoft. Under the second, a site will
create their own keys and deploy them in system firmware, and will do their own signing of
binaries with it. In both schemes, shim, grub2, and the kernel will detect that they are
started in what UEFI describes as \"User mode\" with Secure Boot enabled, and
upon detecting this they will validate the next stage with a Fedora-specific cryptographic
public key before starting it. Additionally, grub2 will operate with similar restrictions
as it would if you had set a supervisory password in your configuration. Once the kernel
is booted, it will also detect tha
t it is in Secure Boot mode, which will cause several things to be true: it will validate
the boot command line to only allow certain kernel settings, it will check loaded modules
for signatures and refuse to load them if they are unsigned, and it will refuse any
operations from userland which cause userland-defined DMA."
+msgid "The Fedora Secure Boot implementation includes support for two methods of
booting under the Secure Boot mechanism. The first method utilizes the signing service
hosted by Microsoft to provide a copy of the shim bootloader signed with the Microsoft
keys. The second method is a more general form of the first, wherein a site or user can
create their own keys, deploy them in system firmware, and sign their own binaries."
msgstr ""
#. Tag: para
#, no-c-format
-msgid "Under this scheme, the signing service will be used to sign a first-stage
bootloader, <ulink
url=\"https://github.com/mjg59/shim\">shim</ulink>, which holds a
Fedora-specific public key. shim will then validate against the Fedora-defined key
referenced above."
+msgid "In both methods, shim, grub2, and the kernel will detect that they are
started in what UEFI describes as \"User mode\" with Secure Boot enabled, and
upon detecting this they will validate the next stage with a Fedora-specific cryptographic
public key before starting it. The validation is done via shim for grub2, and grub2 calls
back to shim to validate the kernel as well. Once the kernel is booted, it will also
detect that it is in Secure Boot mode, which will cause several things to be true:"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "it will validate the boot command line to only allow certain kernel
settings"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "it will check modules at load time for signatures and refuse to load them if
they are unsigned or signed with a signature not found in the UEFI key store variables
(see note)"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "it will refuse any operations from userland which cause userland-defined
DMA."
+msgstr ""
+
+#. Tag: para
+#, no-c-format
+msgid "These restrictions are in place to be fully compliant with Secure Boot. This
requires us to prevent any execution of unverified code at the supervisor level. Most
users won't notice these restrictions as most of the userspace packages that required
such access have been fixed to work without it. However, there are a few services or
features that will not work in a Secure Boot enabled machine at this time. They
include:"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "kexec/kdump"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "hibernate (suspend to disk)"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "third party modules that are unsigned, or signed with an unknown key"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "systemtap kernel probing (and kprobes)"
+msgstr ""
+
+#. Tag: para
+#, no-c-format
+msgid "In future iterations of Secure Boot support the above may also be possible,
however secure implementations were not feasible in the Fedora 18 timeframe."
+msgstr ""
+
+#. Tag: title
+#, no-c-format
+msgid "Note"
+msgstr ""
+
+#. Tag: para
+#, no-c-format
+msgid "Other distributions have chosen to not require signed kernel modules in their
Secure Boot implementation. Fedora believes that to fully support Secure Boot this is
required. We are working to limit the impacts of this while ensuring that untrusted module
code is not allowed to execute."
msgstr ""
diff --git a/pot/Preface.pot b/pot/Preface.pot
index 03438a5..a13b2b4 100644
--- a/pot/Preface.pot
+++ b/pot/Preface.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
diff --git a/pot/Revision_History.pot b/pot/Revision_History.pot
index ea39d19..b34dc32 100644
--- a/pot/Revision_History.pot
+++ b/pot/Revision_History.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
@@ -29,6 +29,21 @@ msgstr ""
#. Tag: member
#, no-c-format
+msgid "Updated 'What is Secure Boot' chapter. (BZ 891758)"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "Updated 'Implementation' chapter. (BZ 891924)"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
+msgid "Updated Josh Boyer's email address. (BZ 891932)"
+msgstr ""
+
+#. Tag: member
+#, no-c-format
msgid "Initial creation of book by publican"
msgstr ""
diff --git a/pot/UEFI_Secure_Boot_Guide.pot b/pot/UEFI_Secure_Boot_Guide.pot
index 6d40160..efe1c52 100644
--- a/pot/UEFI_Secure_Boot_Guide.pot
+++ b/pot/UEFI_Secure_Boot_Guide.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
diff --git a/pot/Using_your_own_keys.pot b/pot/Using_your_own_keys.pot
index 4947457..09b7724 100644
--- a/pot/Using_your_own_keys.pot
+++ b/pot/Using_your_own_keys.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
diff --git a/pot/What_is_Secure_Boot.pot b/pot/What_is_Secure_Boot.pot
index af48dc5..08470b6 100644
--- a/pot/What_is_Secure_Boot.pot
+++ b/pot/What_is_Secure_Boot.pot
@@ -4,8 +4,8 @@
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
-"POT-Creation-Date: 2013-01-04T18:28:40\n"
-"PO-Revision-Date: 2013-01-04T18:28:40\n"
+"POT-Creation-Date: 2013-01-05T02:13:25\n"
+"PO-Revision-Date: 2013-01-05T02:13:25\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
@@ -19,7 +19,7 @@ msgstr ""
#. Tag: para
#, no-c-format
-msgid "Secure boot is a setup using UEFI firmware to check cryptographic signatures
on the bootloader and associated OS kernel to ensure they have not been tampered with or
bypassed in the boot process. With the planned release of Windows 8, Microsoft has decided
that all hardware that is marked \"Windows 8 client ready\" should:"
+msgid "Secure Boot is a setup using UEFI firmware to check cryptographic signatures
on the bootloader and associated OS kernel to ensure that only trusted OS binaries are
loaded during the boot process. These signatures are verified against keys stored in UEFI
variables. If a binary contains a valid signature, it is allowed to execute. If it does
not, the binary is not allowed to execute."
msgstr ""
#. Tag: member
@@ -34,7 +34,7 @@ msgstr ""
#. Tag: member
#, no-c-format
-msgid "Ship the Microsoft keys in firmware."
+msgid "Ship the Microsoft key in firmware."
msgstr ""
#. Tag: member
@@ -44,11 +44,21 @@ msgstr ""
#. Tag: para
#, no-c-format
-msgid "This means that Fedora as it stands booted on such hardware will refuse to
boot until the user disables secure boot in the firmware."
+msgid "This means that Fedora versions before Fedora 18 booted on such hardware will
refuse to boot until the user disables Secure Boot in the firmware. While disabling Secure
Boot is a viable option that some users may wish to choose, it is not an optimal
solution."
msgstr ""
#. Tag: para
#, no-c-format
-msgid "Maintainers of the grub2, kernel and associated packages have proposed a plan
where by Fedora will have Verisign (via Microsoft) sign a bootloader shim that will in
turn boot grub2 (signed by a Fedora key) and the Fedora kernel (signed by a Fedora key) to
allow out of the box booting on secure boot enabled hardware. Additionally, they will
provide tools and information for users to create their own keys and sign their own copy
of boot shim and grub2 and kernel (and whatever else they wish to sign). This plan has
been approved by the Fedora Engineering Steering Committee as of 23-Jul-2012."
+msgid "To facilitate out of the box functionality on new hardware, the maintainers
of the grub2, kernel and associated packages have implemented Secure Boot support in
Fedora 18. On UEFI machines, Fedora 18 uses a small bootloader called \"shim\"
that has been signed by the Microsoft signing service (via Verisign). This allows UEFI to
load shim on Windows 8 client ready machines and continue the boot process for Linux. Shim
in turn boots grub2, which is signed by a Fedora key. Grub2 then boots a similarly signed
Linux kernel provided by Fedora which loads the rest of the OS as per the usual boot
process. The machine remains in Secure Boot mode."
+msgstr ""
+
+#. Tag: para
+#, no-c-format
+msgid "Additional tools and information will provided for users to create their own
keys and sign their own copy of shim and grub2 and kernel."
+msgstr ""
+
+#. Tag: para
+#, no-c-format
+msgid "This plan was approved by the Fedora Engineering Steering Committee on
23-Jul-2012."
msgstr ""