Fedora ARM and SecureBoot

Adam Jackson ajax at redhat.com
Thu Jun 7 19:50:26 UTC 2012

On Thu, 2012-06-07 at 13:14 -0400, Przemek Klosowski wrote:
> What is Fedora ARM planning to do about the upcoming Microsoft hardware 
> certification spec requiring Secure Boot? By the spec, there must be a 
> way to disable it on x86, but on ARM they expressly prohibit turning it 
> off. I guess the current Fedora/RedHat stance, as explained by Matthew 
> Garrett, is to obtain a MS certificate covering x86 and presumably ARM 
> kernels from Fedora, but this doesn't help respins and mods and even 
> custom kernels---more likely on ARM because of the its relative newness 
> and faster pace of development.
> People pointed out that MS hardware requirements for ARM don't have 
> anwhere near the market coverage/importance as in the x86 sector, so 
> they argue that it's OK to ignore the issue. Indeed, currently majority 
> of ARM hardware just doesn't care about MS, but Secure Boot is a 
> reflection of the industry trend seeking more security (*) so it's 
> conceivable that more digital signing is in ARM's future, too.
> So, what is the current thinking?

What's to decide?

There are no ARM machines where getting Fedora signed by someone else
would improve our ability to boot, so why would we bother getting
someone else to sign Fedora on ARM?

If there are ARM machines where UEFI and Secure Boot are available,
we're going to have tools to do your own trust database management
anyway, so why would supporting them be any different from doing the
same on x86?

- ajax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120607/612b3181/attachment-0001.sig>

More information about the devel mailing list