Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Thibault Nélis thib at stammed.net
Sat Jun 2 12:14:11 UTC 2012 

On 06/02/2012 04:28 AM, Sam Varshavchik wrote:
> Yes, all five of them.

Point taken.

>> [0] Yes, I found it, it was there all along, I guess I didn't look
>> hard enough (or didn't listen properly):
>> http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B38093F50BA1/windows8-hardware-cert-requirements-system.pdf
>> [search for secureboot, you'll find it easy enough]
>
> I never said that Microsoft would openly prohibit OEMs from offering an
> option to install user-provided keys.
>
> They key word here is "openly".

How do you mean "openly"?  It can't get much more open that a mandatory 
interface that let's you do it simply.  What UEFI could do to make 
things better is standardize the UI, but that's it.

>> Exactly, by ignoring them and using the services of other organizations.
>
> Well, that's one unique way to ignore them: it costs $99 to do that.

Please try to stay with me, you can't have everything.  If you can find 
somebody who's gonna keep a key safe and manage hundreds of customers 
(signing their shims) *and* make contracts with as much OEMs as possible 
to get their own key in the firmwares for *you*, for *free*, then give 
me a number, and give it to Fedora.

If you think this service is useless for secure boot, I'll argue that 
you're not being realistic, you can't ask every OS developer to make 
deals with every OEM on the planet.

If you want to be realistic and want secure boot for free for every 
developer of every OS, then fat chance, you can't have it.  Some might 
have the contacts to make the deals for free, but Fedora chose not to 
use them so they wouldn't have an unfair advantage over the other 
distros.  That's their explanation anyway.

> There are plenty of people who use non-Fedora kernels with the rest of
> the Fedora distribution. Now, I have no reasons to do so myself; and I
> can't think of a typical reason why I'd want to do that; but they surely
> have their own valid reason for doing that.

I know that, and that's my point, they're non-Fedora kernels, so it's 
not strictly Fedora in the sense that Fedora maintainers have no 
authority to bless each and every one of these kernels with a signature, 
and nor should they have one.

> And, if their hardware required a Microsoft-blessed key to boot a host
> OS, then the whole point of getting one would be to be able to boot
> their machine.
>
> Imagine the gall – wanting to be able to boot a custom kernel.

Easy, sign it yourself.  We went over it a hundred times now.  If you 
can build a kernel you can sign a million of them.

If the technical task of signing a kernel is too much for people who 
don't care much about security, they can disable secure boot.
-- 
t

More information about the users mailing list