Red Hat Will Pay Microsoft To Get Past UEFI Restrictions
Thibault NĂ©lis
thib at stammed.net
Fri Jun 1 11:42:50 UTC 2012
On 06/01/2012 01:11 PM, Sam Varshavchik wrote:
> You are assuming that Microsoft will sign a bootloader with such
> functionality.
>
> I would not take that bet.
The plan is to make them sign a shim boot loader, which essentially
delegates the trust down to Fedora entirely, because they have no
control over what Fedora will make that shim load next. Fedora can
implement whatever they want after that.
And they will sign; they can't possibly review all the software that
could follow the boot loader down the chain, because it includes big
monolithic kernels, so they have to trust the people who develop the
software instead of the software itself.
>> Now, users who buy machines with Windows pre-installed should expect
>> their firmware to include Microsoft's key, and should be aware that
>> they can add theirs legally. If they don't want to use Windows and
>> don't want the trouble of setting up keys they should either:
>>
>> (a) Buy from an OEM which builds machines with their OS of choice
>> pre-installed, including a secure boot key for it,
>>
>> (b) Ask an OEM for a machine without any OS (if you install the OS
>> yourself then you should be responsible for installing the key as well),
>>
>> (c) Fight an OEM which pre-installs Windows to add a new key, possibly
>> a set of keys from unbiased trust brokers that can distribute
>> certificates (bootloader shims) to your OS of choice to make it more
>> realistic.
>
> How about buying a laptop or a PC that will boot any damn OS you want,
> without all this cockamamie crap?
Well any computer *will* boot any damn OS, just add a key, or don't use
the technology. The problem here is about those users who don't know or
care about it, and who might not be comfortable generating keys,
securing them, signing boot loaders, and adding them to the firmware.
This process can be greatly streamlined, but still it won't be suitable
for everyone, and those who need secure boot the most are unfortunately
those who probably won't set it up themselves.
And if secure boot isn't enabled by default even on machines with
preinstalled OSes, then the world will gain nothing from the technology
as, again, the people feeding the zombie networks are the same who won't
care to enable it themselves.
--
t
More information about the users
mailing list