Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Alan Cox alan at lxorguk.ukuu.org.uk
Sat Jun 2 19:49:29 UTC 2012


> 3. Create your own keys and sign your own shim/grub2/kernel and remove
> MS'es keys. 

And how are you going to add your own keys to the firmware ? There is no
requirement for EFI to support this in anything I've seen so far.
Hopefully everyone will.

Also btw I wouldn't bet on removing the Microsoft key - as it stands you
may find that means all your add on cards stop working. All those with
firmware have to have the firmware signed too (otherwise you'd just
insert a 'f**k you' card with breakout firmware into the box), and those
have to be signed with a key that can be everywhere if the are general
purpose add in cards

While there are still folks thinking evil thoughts along the 'wasn't it
good in pre PC days when we could flog a $30 video card for $600'
PC vendors want their cards to work everywhere. So in practice someone
has to sign their firmware to work with every BIOS which puts them in the
same place as Fedora so they end up being Microsoft signed, kerching $99,
kerching $99...

Remove the MS key and the firmware won't be signed. I doubt you can
re-sign any flash firmware. That's probably only a problem for the
paranoid because any government approved spyware from the FBI etc is
presumably going to use the Microsoft key by default.

Alan


More information about the users mailing list