Re: Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/01/2012 01:11 PM, Sam Varshavchik wrote:

You are assuming that Microsoft will sign a bootloader with such
functionality.

I would not take that bet.
The plan is to make them sign a shim boot loader, which essentially delegates the trust down to Fedora entirely, because they have no control over what Fedora will make that shim load next. Fedora can implement whatever they want after that.
And they will sign; they can't possibly review all the software that could follow the boot loader down the chain, because it includes big monolithic kernels, so they have to trust the people who develop the software instead of the software itself. 


Now, users who buy machines with Windows pre-installed should expect
their firmware to include Microsoft's key, and should be aware that
they can add theirs legally. If they don't want to use Windows and
don't want the trouble of setting up keys they should either:

(a) Buy from an OEM which builds machines with their OS of choice
pre-installed, including a secure boot key for it,

(b) Ask an OEM for a machine without any OS (if you install the OS
yourself then you should be responsible for installing the key as well),

(c) Fight an OEM which pre-installs Windows to add a new key, possibly
a set of keys from unbiased trust brokers that can distribute
certificates (bootloader shims) to your OS of choice to make it more
realistic.


How about buying a laptop or a PC that will boot any damn OS you want,
without all this cockamamie crap?
Well any computer *will* boot any damn OS, just add a key, or don't use the technology. The problem here is about those users who don't know or care about it, and who might not be comfortable generating keys, securing them, signing boot loaders, and adding them to the firmware. This process can be greatly streamlined, but still it won't be suitable for everyone, and those who need secure boot the most are unfortunately those who probably won't set it up themselves.
And if secure boot isn't enabled by default even on machines with preinstalled OSes, then the world will gain nothing from the technology as, again, the people feeding the zombie networks are the same who won't care to enable it themselves. 
--
t
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux