On 06/01/2012 03:22 PM, Adam Williamson wrote: > On Fri, 2012-06-01 at 15:14 -0400, Gerry Reno wrote: >> I just read through the MS docs on SecureBoot and this is the biggest Rube-Goldberg machine. >> >> I could not think of a nastier solution to a problem than what they've dreamt up here. >> >> >> The whole problem they are trying to solve is that of booting only known-good code. >> >> >> That would be much easier accomplished by having the OS reside on a read-only device that could only be written to by >> the user actively using hardware to enable the write during installation. >> >> That would create a system where there was no possible programmatic means of corrupting the OS during normal operation. >> >> No signatures, no crypto-databases, or other SecureBoot gobbledy-gook needed. >> >> >> To implement this would require only that new systems support two drives, one with controllable-by-user >> read-write-controller interface for storing the OS. >> >> Forensic firms have been using these types of read-write controllable drive interfaces for years. Hardware already exists. > What is your practical point? > My practical point is that Microsoft chose this particular solution not as the best way to solve the issue of booting known-good code but as a way of impacting Linux and it whole concept of software freedoms. I don't think anybody in the Linux community should be supporting this SecureBoot "solution" in any way, shape or form. . -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel