On 06/08/2012 05:42 PM, Adam Jackson wrote: > On Fri, 2012-06-08 at 16:29 +0100, Andrew Haley wrote: >> On 06/08/2012 04:24 PM, Adam Jackson wrote: >>> And? I wasn't speaking to "we should sign our arm images with >>> Microsoft's key", I was speaking to "we should support Secure Boot on >>> arm". If someone wants to build an arm machine with SB support capable >>> of running non-Windows operating systems, why would we not want to run >>> there, and why would enabling that look any different from self-signing >>> an x86 machine? >> >> Forgive me if I'm missing something, but surely the reason we would >> not want to run there is that our users would not be able to do so >> as well: they wouldn't be able to modify our kernel and run it on >> their machine. > > I chose my words carefully. I think you're hearing "Secure Boot on arm" > and concluding "immutable Secure Boot configuration", which to my > knowledge is not a given. It's a given for machines that will ship with > Windows for arm on them, and one can choose to be angry at Microsoft for > that I suppose, but that's not necessarily a statement about the broader > arm ecosystem. > > Personally I really like the idea of establishing my own trust chain on > my own machines. I like the idea that I can get the assurance that my > firmware hasn't been rooted _and_ not rely on anyone else's cert safety > practices but my own. If I'm the sort of person who's taking my > computer into hostile territory - insert oppressive government of choice > here - that level of trust is potentially life saving. I have no objection to such a secure boot either. > And - though it pains me that this next thought might actually be > unpopular, though closer investigation might reveal that I'm giving the > feature too much credit, and without considering or conceding whether > such a machine would be non-free - I'm pretty sure I am willing to > sacrifice a minor technical point of software freedom for real gains in > human freedom. I suppose I don't know what minor technical point of software freedom you're talking about. I presume it's not the freedom to change a program so it does your computing as you wish, which is scarcely a minor anything. > Software freedom is a means, not an end. > > Microsoft's requirements for SB on x86 enable that kind of trust for > Linux (and for anyone else who wants it). It's possible to build arm > machines the same way; they won't be able to run Windows, but whatever, > as if I want to run Windows anyway. If arm machines like that were to > exist, why _wouldn't_ we want to support them? For that matter, why > would we not want to enable building them? As long as the technology isn't used to bind users, no reason at all. Andrew. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
