*countable infinities only

Fri Jun 1 16:10:35 UTC 2012

On 06/01/2012 11:30 AM, Gerry Reno wrote:

> The better solution would be for users for want SecureBoot to have to set it in the BIOS.  It should be disabled by default.

I do not disagree with you. Microsoft does. They have the influence over
the hardware OEMs. We do not. They are forcing the OEMs to enable it by
default.

Feel free to tell your OEM vendor to disable it by default. They will
not get that hardware Windows 8 Certified, won't be able to OEM preload
Windows 8 on it, if they disable it by default. Who do you think they
are going to go with at the end of the day?

Now, let us operate on the assumption that SecureBoot is enabled by
default, and that the majority of PCs are going to come with Windows 8
pre-installed.

Do we want to support dual-booting with Windows 8? Microsoft describes
SecureBoot enablement as "Required for Windows 8 client" [1]? What does
that mean? We're not sure. At best, it means that BitLocker isn't going
to work, at worst, big chunks of Windows 8 functionality will simply
refuse to function until you turn SecureBoot back on.

Microsoft isn't even planning on supporting dual-booting of Windows 7
and Windows 8:

"If you are dual booting, it depends on whether you are booting into
another trusted operating system, van der Hoeven said. One discussion we
are having is…[with] this first firmware OK boot manager OK handshake,
you can't have a version of that that works with Windows 7. Windows 7
doesn't have the ability to check firmware. The firmware can check and
make sure it is assigned a Windows 7 boot loader. Truly, right now
today, if you want to have secure boot and you want to dual boot Windows
8 and Windows 7, you need to turn secure boot off in firmware. We are
thinking about having a way that you can go ahead and make that work,
but that's not POR [plan of record] today." [2]

So, if we want to be able to provide a dual-boot configuration with
Windows 8 (fully functional) and Fedora, how do we do it? Matthew has
come up with a way.

And if you don't care about dual-booting or SecureBoot, turn it off in
the UEFI Firmware, and Fedora continues to work just as it did before.
It's not an all-or-nothing approach. But I think it is short-sighted
(and arrogant of us) to simply say to people who have no idea what UEFI
stands for, "Hey, this Fedora isn't for you, go find someone smart
enough to help you."

We include wireless device firmware even though it isn't free. And we
don't like doing that, but it is the only way to get wireless support
out of the box in Fedora.

We're proposing providing a signed bootloader to enable Fedora to run in
SecureBoot environments, even though it is immensely distasteful and
questionably non-free. And we don't like doing that, but it is the only
way we've come up with to get Fedora support out of the box on the next
generation of hardware.

If you can come up with a better way to boot Fedora on SecureBoot
enabled hardware, we're all listening.

~tom

==
Fedora Project

[1]: http://video.ch9.ms/build/2011/slides/HW-457T_van_der_Hoeven.pptx
[2]:
http://redmondmag.com/articles/2011/09/23/windows-8-dual-boot-possible-if-secure-boot-disabled.aspx