On 06/01/2012 11:30 AM, Gerry Reno wrote: > The better solution would be for users for want SecureBoot to have to set it in the BIOS. It should be disabled by default. I do not disagree with you. Microsoft does. They have the influence over the hardware OEMs. We do not. They are forcing the OEMs to enable it by default. Feel free to tell your OEM vendor to disable it by default. They will not get that hardware Windows 8 Certified, won't be able to OEM preload Windows 8 on it, if they disable it by default. Who do you think they are going to go with at the end of the day? Now, let us operate on the assumption that SecureBoot is enabled by default, and that the majority of PCs are going to come with Windows 8 pre-installed. Do we want to support dual-booting with Windows 8? Microsoft describes SecureBoot enablement as "Required for Windows 8 client" [1]? What does that mean? We're not sure. At best, it means that BitLocker isn't going to work, at worst, big chunks of Windows 8 functionality will simply refuse to function until you turn SecureBoot back on. Microsoft isn't even planning on supporting dual-booting of Windows 7 and Windows 8: "If you are dual booting, it depends on whether you are booting into another trusted operating system, van der Hoeven said. One discussion we are having is…[with] this first firmware OK boot manager OK handshake, you can't have a version of that that works with Windows 7. Windows 7 doesn't have the ability to check firmware. The firmware can check and make sure it is assigned a Windows 7 boot loader. Truly, right now today, if you want to have secure boot and you want to dual boot Windows 8 and Windows 7, you need to turn secure boot off in firmware. We are thinking about having a way that you can go ahead and make that work, but that's not POR [plan of record] today." [2] So, if we want to be able to provide a dual-boot configuration with Windows 8 (fully functional) and Fedora, how do we do it? Matthew has come up with a way. And if you don't care about dual-booting or SecureBoot, turn it off in the UEFI Firmware, and Fedora continues to work just as it did before. It's not an all-or-nothing approach. But I think it is short-sighted (and arrogant of us) to simply say to people who have no idea what UEFI stands for, "Hey, this Fedora isn't for you, go find someone smart enough to help you." We include wireless device firmware even though it isn't free. And we don't like doing that, but it is the only way to get wireless support out of the box in Fedora. We're proposing providing a signed bootloader to enable Fedora to run in SecureBoot environments, even though it is immensely distasteful and questionably non-free. And we don't like doing that, but it is the only way we've come up with to get Fedora support out of the box on the next generation of hardware. If you can come up with a better way to boot Fedora on SecureBoot enabled hardware, we're all listening. ~tom == Fedora Project [1]: http://video.ch9.ms/build/2011/slides/HW-457T_van_der_Hoeven.pptx [2]: http://redmondmag.com/articles/2011/09/23/windows-8-dual-boot-possible-if-secure-boot-disabled.aspx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
