On Thu, Nov 08, 2012 at 03:38:33PM +0100, Thomas Renninger wrote: > BTW: Who decides what is allowed and what is not? Tree maintainers. > I guess it should be the spec. I haven't read the details, but > when even Matthew is not sure, it sounds as if this is phrased > rather imprecise. And as Windows is afaik the central key authority > they can enforce their interpretation of the spec for Linux as well? The spec is purely mechanism, not policy. Policy is up to the OS vendors. > I like to have this boot parameter to also work the > other way around: > secureboot_enable=no > and let all secure boot things fall off, only set a > TAINT_INSECURE_BOOT_EVEN_BIOS_REQUESTED_SECURE_BOOT > > Can SUSE sign this kernel without fearing to get the key revoked > from Windows? If anyone used that kernel to attack Windows, the signature would get revoked. > Can this exist in the mainline kernel? Sure, but vendors might want to patch it out, depending on how paranoid they are. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
