Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

Kevin Fenzi kevin at scrye.com
Tue Jun 5 19:26:38 UTC 2012 

On Tue, 5 Jun 2012 12:07:00 -0700 (PDT)
Antonio Olivares <olivares14031 at yahoo.com> wrote:

> > Supposing your OEM isn't abusing his powers and respects
> > Microsoft's requirements if it's an x86 platform, you should
> > be able to add your own key in the firmware, which will be
> > used to verify the boot loader.  If this thing is well
> > designed (I assume it is), you won't have to flip a single
> > bit on the boot loader and certainly not rebuild it
> > (provided it does support secure boot in the first place).
> 
> I am trying to understand the pros and cons in the arguments here,
> but I am just a mere mortal so I will ask what I don't understand.
> 
> 1) Red Hat will pay $99 to each OEM that exists in order to boot
> Fedora 18 which should come out in parallel when windows 8 comes out?

No. The $99 is a one time fee to verisign. Under this plan (which has
not been approved or agreed on yet), Fedora would pay the fee for
itself and get it's bootloader shim signed by the MS key. This shim
would have the Fedora keys in it to check and only boot Fedora signed
grub2 and kernel. Fedora (or things using it's shim/grub2/kernel) would
boot out of the box on secure boot enabled hardware. 

> 2) Secure boot could be disabled in the bios and one could bypass the
> pile of M$ crap?

Yes. You can disable secure boot in the firmware. 
You can also remove MS keys and replace them with your own and use
Secure boot. 

> 3) Other OSes also have to boot, since Red Hat has/is/will be paying
> $99 to M$/other company to be able to safely boot Fedora, they can
> just mimick Fedora's bootup|kernel parameters and not pay to securely
> boot?

If the "Other OS" ships and uses Fedora's bootloader shim, grub2, and
kernel, then yes, it will just boot. If they modify these or have their
own, it will not. They can also pay $99 to get access to the Microsoft
sysdev portal, and get their boot shim signed by MS, then it will work
in secure boot mode. 

> 4) an other page that explains some of this, I don't know if has been
> mentioned here is 
> 
> http://mjg59.dreamwidth.org/12368.html
> 
> It has some explanations, but the topic is still difficult to
> understand and I would have to agree with the suggestions others have
> shared here in this thread.  Only time will tell how this issue will
> be affected once we get there.

yeah, he did a good writeup, but lots of people seem to not understand
all the issues here. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120605/2dcab31b/attachment.sig>

More information about the users mailing list