On 2014-07-07, Florian Weimer <fweimer(a)redhat.com> wrote:
Note that Microsoft's current policy may not allow unrestricted
virtualization (KVM or Virtualbox—does not matter) because that "permits
launch of another operating system instance after execution of
unauthenticated code"—the wording is rather unclear. If Microsoft
clarifies that this is forbidden, a future Fedora update will remove
this functionality, so you will be forced to disable Secure Boot at this
point anyway if you want to continue to use virtualization.
Could you elaborate more what "unauthenticated code" is in this case? Is
it a userspace tool for controlling in-kernel virtualization (e.g. qemu
in case of KVM)? Because KVM as a kernel module is signed.
If so, what if user uses pure user-space emulation (e.g. qemu). Either
that imposes user space executables have to be signed too, or the
unclarified statement lacks any meaningful purpose.
-- Petr