Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Thibault NĂ©lis thib at stammed.net
Fri Jun 1 11:42:50 UTC 2012 

On 06/01/2012 01:11 PM, Sam Varshavchik wrote:
> You are assuming that Microsoft will sign a bootloader with such
> functionality.
>
> I would not take that bet.

The plan is to make them sign a shim boot loader, which essentially 
delegates the trust down to Fedora entirely, because they have no 
control over what Fedora will make that shim load next.  Fedora can 
implement whatever they want after that.

And they will sign;  they can't possibly review all the software that 
could follow the boot loader down the chain, because it includes big 
monolithic kernels, so they have to trust the people who develop the 
software instead of the software itself.

>> Now, users who buy machines with Windows pre-installed should expect
>> their firmware to include Microsoft's key, and should be aware that
>> they can add theirs legally. If they don't want to use Windows and
>> don't want the trouble of setting up keys they should either:
>>
>> (a) Buy from an OEM which builds machines with their OS of choice
>> pre-installed, including a secure boot key for it,
>>
>> (b) Ask an OEM for a machine without any OS (if you install the OS
>> yourself then you should be responsible for installing the key as well),
>>
>> (c) Fight an OEM which pre-installs Windows to add a new key, possibly
>> a set of keys from unbiased trust brokers that can distribute
>> certificates (bootloader shims) to your OS of choice to make it more
>> realistic.
>
> How about buying a laptop or a PC that will boot any damn OS you want,
> without all this cockamamie crap?

Well any computer *will* boot any damn OS, just add a key, or don't use 
the technology.  The problem here is about those users who don't know or 
care about it, and who might not be comfortable generating keys, 
securing them, signing boot loaders, and adding them to the firmware. 
This process can be greatly streamlined, but still it won't be suitable 
for everyone, and those who need secure boot the most are unfortunately 
those who probably won't set it up themselves.

And if secure boot isn't enabled by default even on machines with 
preinstalled OSes, then the world will gain nothing from the technology 
as, again, the people feeding the zombie networks are the same who won't 
care to enable it themselves.
-- 
t

More information about the users mailing list