On Fri, 1 Jun 2012 11:44:17 -0600 Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > On Jun 1, 2012, at 9:54 AM, drago01 wrote: > > In case enabled secureboot is the only option (i.e we somehow refuse > > to boot with it disabled) then (and only then) you can talk about > > removed freedom otherwise this is just FUD. > > It's an assumption there will be an option to disable it. This is up > to the firmware implementation, not the spec. Arguably that is a flaw > in the ratified spec. But the place for it now is, ironically, in the > Windows 8 Logo Program. Not true to my understanding. "Madantory. Secure Boot must ship enabled (i.e., UEFI Version 2.3.1 Errata B variables SecureBoot=1 and SetupMode=0) with a signature database (EFI_IMAGE_SECURITY_DATABASE) necessary to boot the machine securely pre-provisioned, and include a PK that is set and a valid KEK database." "Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv. A Windows Server may also disable Secure Boot remotely using a strongly authenticated (preferably public-key based) out-of-band management connection, such as to a baseboard management controller or service processor. Programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Disabling Secure Boot must not be possible on ARM systems." http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256 > > You'd still find hardware that does not participate in that program, > which then aren't bound to supply hardware allowing the disabling of > Secure Boot. Apple will be one such company that falls under this. Sure, but the vast majority of vendors would want to participate so they can sell to people who want to run windows8. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
