Fedora ARM and SecureBoot

Przemek Klosowski przemek.klosowski at nist.gov
Thu Jun 7 17:14:57 UTC 2012

What is Fedora ARM planning to do about the upcoming Microsoft hardware 
certification spec requiring Secure Boot? By the spec, there must be a 
way to disable it on x86, but on ARM they expressly prohibit turning it 
off. I guess the current Fedora/RedHat stance, as explained by Matthew 
Garrett, is to obtain a MS certificate covering x86 and presumably ARM 
kernels from Fedora, but this doesn't help respins and mods and even 
custom kernels---more likely on ARM because of the its relative newness 
and faster pace of development.

People pointed out that MS hardware requirements for ARM don't have 
anwhere near the market coverage/importance as in the x86 sector, so 
they argue that it's OK to ignore the issue. Indeed, currently majority 
of ARM hardware just doesn't care about MS, but Secure Boot is a 
reflection of the industry trend seeking more security (*) so it's 
conceivable that more digital signing is in ARM's future, too.

So, what is the current thinking?

(*) this is true whether one agrees with it or not, and whatever one 
thinks about SecureBoot technical merit.

More information about the devel mailing list