*countable infinities only

drago01 drago01 at gmail.com
Sat Jun 9 13:25:30 UTC 2012

On Sat, Jun 9, 2012 at 3:19 PM, Chris Smart <fedora at christophersmart.com> wrote:
> On 09/06/12 19:34, drago01 wrote:
>>> Is that actually true though?
>>> >
>>> > If Fedora does not implement some form of Secure Boot support, 100% of
>>> > Fedora users will still be able to install Fedora on new machines, after
>>> > they disable Secure Boot, if their computer even has it at all (and
>>> > personally, I think the majority of Fedora users will simply buy
>>> > hardware which does not have Secure Boot). I know I would.
>> No because some users in don't know what a firmware is and can't/don't
>> want to fiddle with it.
> Except it won't be that hard.

For people like you.

> We say "firmware" but it's the interface
> we're talking about. It'll be just like going into the BIOS and setting
> the boot order, date, or turning on hardware virtualisation support.
> We're not talking about flashing firmware, running commands or anything
> like that.

That's complicated and scary for many users.

> From Microsoft:
> "17. MANDATORY. On non-ARM systems, the platform MUST implement the
> ability for a physically present user to _select between two Secure Boot
> modes in firmware setup_:
> "Custom" and "Standard". Custom Mode allows for more flexibility as
> specified in the following:
> a) It shall be possible for a physically present user to use the Custom
> Mode firmware setup option to modify the contents of the Secure Boot
> signature databases and the PK. This may be implemented by simply
> providing the option to clear all Secure Boot databases (PK, KEK, db,
> dbx) which will put the system into setup mode."
> So the graphical interface will present a choice to the user and will be
> as simple as changing Secure Boot to custom mode.

"simple" ...

> Just look up the manual for something like Asus P8P67 mainboard which
> has UEFI (granted probably no Secure Boot yet) to see what a UEFI
> interface can look like. It's going to be a piece of cake.

Again please don't look at this from you POV.

> In fact, loading signatures will probably also be very easy - most
> likely import from a USB stick or media device of some kind.
>> Making installation harder for the less experienced users does not
>> make sense to me.
> Sure and I'm all for making things easier. I don't have a problem with
> Fedora shipping with Secure Boot support, I'm saying that I don't think
> it's as big a deal as everyone's making it out to be.

Because you are looking at it from you point of view ignoring other
kind of users.
What is easy for you isn't easy for everyone.

> In my opinion the
> setting for Secure Boot will probably be no more difficult that setting
> the default boot order in a BIOS (something you have to do to boot
> install media).

For some users changing the boot order is a big hurdle already.

>>> > Now, if there was an inability to disable Secure Boot or manage keys
>>> > then that would be a different kettle of fish (and in my mind a
>>> > different argument).
>> That is a more controversial part but IMO but if you have the choice
>> of running fedora with some restrictions vs. not running fedora at all
>> ...
>> I'd got for the former ...
> Yeah, but that's _not_ the choice at all (which is kind of my point).

On x86 is not on ARM devices following the MS logo program it will be.

> Your choice is between running Fedora in Secure Boot mode or running
> Fedora completely unhindered with Secure Boot in custom mode. "Not at
> all" never enters the picture.

Yeah and I see no reason why we shouldn't have a sane default "works
everywhere" and let users that want more control to turn off secure

More information about the devel mailing list