Need more info: UEFI Secure Boot in Fedora

Alan Cox alan at
Thu May 31 12:56:11 UTC 2012

> Thanks for the reply and clearing the confusion.
> and to make sure future boards i buy lets users disable secure boot.

By far the best idea. As a kernel rights holder I question the legality
of Matthew's proposal, and it would be amusingly unfortunate if the
Software Conservancy ended up beginning some of its Linux enforcement
against Fedora.

The other source of machines is of course going to be Google chromebooks
and the like. They don't have a windows tax on them in the first place
and have a developer switch.

In fact in many ways the chromebooks and the like work the way it appears
the secure boot stuff will ultimately work. If supplied as a system you
would need to perform a specific incantation that demonstrates you are
physically present and intend to unlock the device.

That part of things is actually quite sensible - it means you can give a
box to a random end user who doesn't want to do anything clever with it
and the lock is a value, but the unlock can be done.

What is much more evil is that the EFI scheme is engineered so that
- the mechanism for unlocking is not defined but will vary by device
- the process of getting keys into BIOSes is sufficiently fragmented and
  convoluted that in effect Microsoft own the keys. This stops you
  locking the device down with your own key.

There is some hope the BIOS vendors will at least get their act together
a bit on the former, if only to avoid the support calls and board returns
killing them. With the wafer thin margins they have they simply cannot
afford to have customers returning systems due to poor documentation.


More information about the users mailing list