*countable infinities only

Kevin Fenzi kevin at scrye.com
Fri Jun 1 18:06:08 UTC 2012


On Fri, 1 Jun 2012 11:44:17 -0600
Chris Murphy <lists at colorremedies.com> wrote:

> 
> On Jun 1, 2012, at 9:54 AM, drago01 wrote:
> > In case enabled secureboot is the only option (i.e we somehow refuse
> > to boot with it disabled) then (and only then) you can talk about
> > removed freedom otherwise this is just FUD.
> 
> It's an assumption there will be an option to disable it. This is up
> to the firmware implementation, not the spec. Arguably that is a flaw
> in the ratified spec. But the place for it now is, ironically, in the
> Windows 8 Logo Program.

Not true to my understanding.

"Madantory. Secure Boot must ship enabled (i.e., UEFI Version 2.3.1
Errata B variables SecureBoot=1 and SetupMode=0) with a signature
database (EFI_IMAGE_SECURITY_DATABASE) necessary to boot the machine
securely pre-provisioned, and include a PK that is set and a valid KEK
database."

"Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is
required to implement the ability to disable Secure Boot via firmware
setup. A physically present user must be allowed to disable Secure Boot
via firmware setup without possession of PKpriv. A Windows Server may
also disable Secure Boot remotely using a strongly authenticated
(preferably public-key based) out-of-band management connection, such
as to a baseboard management controller or service processor.
Programmatic disabling of Secure Boot either during Boot Services or
after exiting EFI Boot Services MUST NOT be possible. Disabling Secure
Boot must not be possible on ARM systems."

http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256
> 
> You'd still find hardware that does not participate in that program,
> which then aren't bound to supply hardware allowing the disabling of
> Secure Boot. Apple will be one such company that falls under this.

Sure, but the vast majority of vendors would want to participate so
they can sell to people who want to run windows8. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120601/677cb4cd/attachment.sig>


More information about the devel mailing list