No subject


Thu Apr 19 19:57:42 UTC 2012 

"17. MANDATORY. On non-ARM systems, the platform MUST implement the
ability for a physically present user to _select between two Secure Boot
modes in firmware setup_:
"Custom" and "Standard". Custom Mode allows for more flexibility as
specified in the following:
a) It shall be possible for a physically present user to use the Custom
Mode firmware setup option to modify the contents of the Secure Boot
signature databases and the PK. This may be implemented by simply
providing the option to clear all Secure Boot databases (PK, KEK, db,
dbx) which will put the system into setup mode."

So the graphical interface will present a choice to the user and will be
as simple as changing Secure Boot to custom mode.

Just look up the manual for something like Asus P8P67 mainboard which
has UEFI (granted probably no Secure Boot yet) to see what a UEFI
interface can look like. It's going to be a piece of cake.

In fact, loading signatures will probably also be very easy - most
likely import from a USB stick or media device of some kind.

> Making installation harder for the less experienced users does not
> make sense to me.
> 

Sure and I'm all for making things easier. I don't have a problem with
Fedora shipping with Secure Boot support, I'm saying that I don't think
it's as big a deal as everyone's making it out to be. In my opinion the
setting for Secure Boot will probably be no more difficult that setting
the default boot order in a BIOS (something you have to do to boot
install media).

>> > Now, if there was an inability to disable Secure Boot or manage keys
>> > then that would be a different kettle of fish (and in my mind a
>> > different argument).
> That is a more controversial part but IMO but if you have the choice
> of running fedora with some restrictions vs. not running fedora at all
> ...
> I'd got for the former ...
> 

Yeah, but that's _not_ the choice at all (which is kind of my point).
Your choice is between running Fedora in Secure Boot mode or running
Fedora completely unhindered with Secure Boot in custom mode. "Not at
all" never enters the picture.

-c

More information about the devel mailing list