Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Sam Varshavchik mrsam at courier-mta.com
Mon Jun 4 11:01:51 UTC 2012 

Thibault NĂ©lis writes:

> On 06/02/2012 10:19 PM, Sam Varshavchik wrote:
>> But I thought that this was the plan of action, isn't it? Sign a shim
>> that boots Fedora. Presto, secured boot, with Microsoft's blessing.
>>
>> So, did you just change your mind, and realize that:
>>
>> 1) It makes no sense, and
>>
>> 2) Microsoft is not going to sign a shim that will boot an arbitrary
>> Linux kernel, which can be trivially used to bypass the protection that
>> a secured boot offers to their non-free OS?
>
> We're really talking about different things here I believe;  from my point  
> of view, I see you asking the question "When will a universal key that can  
> boot any kernel?" in a very rhetorical way, as in, it will never happen  
> because either the system is broken or Microsoft won't allow it (I'm not  
> sure what you meant exactly, but I'm pretty sure it's one of those, correct  
> me if I'm wrong).

Both; but mostly the fact that Microsoft will not allow it.

> However, I argue that asking the question is a little wrong;  if such a key  
> would exist, secure boot would lose its purpose, and thus we shouldn't even  
> desire such a key.  But I'm kind of certain that you understand that very  
> well already, which is why I'm out of words.

Precisely. Gee, and I thought that I was running Linux because I am able to  
boot any kernel that I feel like.

But then, the argument goes that you will have the ability to install your  
own firmware key, and sign the kernel.

But, it's painfully obvious to me, that this will never happen, to any  
noteworthy degree. I have very little doubt that empty promises in  
Microsoft's own documentation, that's cited as alleged proof that firmware  
will retain the ability to accept other keys, are utterly bogus. It's not  
going to happen.

Even without malware being a factor, a signed secure boot of Linux will be  
able to bootstrap another non-free OS, bypassing its secure boot. I repeat:  
a truly secure boot for a non-free OS is logically impossible as long as  
secure boot is still possible for a free OS, on the same hardware. There's  
no need for any malware to be involved. The core definition of free OS as  
one that lets you do whatever with your hardware and software. This  
logically prevents a secure boot of a non-free OS, where that does not hold  
true.

Anyone can spin this until tomorrow, but this is something fundamental, that  
no amount of spin and talk can change. Microsoft isn't stupid. They know  
this. Which is why, ultimately, you will not be able to boot a free OS on  
the same hardware that is capable of booting Microsoft's OS. All that jazz  
about alternate keys is just magician's smoke and mirrors aimed to misdirect  
the dumb audience.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120604/9be5bf0d/attachment.sig>

More information about the users mailing list