(We call the bad version of Secure Boot, where the user does not have
the ability to modify the set of trusted keys or disable the system,
Restricted Boot.)
We have discussed the idea of trying to become a root key holder for
Secure Boot, working with OEMs to by default trust GNU/Linux distro keys
signed by us, but have been told that the cost of complying with the
requirements would be in the millions. We're still interested, if anyone
has funding.
Can you please point to the source of this "millions" comment? I see
UEFI Forum membership as being $2500/yr max for an org, and free for an
individual. The latter can't influence codebase and has a 3 page
license, the former can impact codebase and has a 9 page license.
http://www.uefi.org/join
Is there any info on how votes are controlled at UEFI Forum? I presume
Intel and Microsoft can veto anything new?
What are the barriers from forking the BSD codebase and providing your
set of modules, for OEMs to use as an alt from the official Tiano
modules, so they can use their existing build system to target 2
different systems?
Another option might be to work with an existing BIOS vendor (IBV), and
have the alt firmware target done there.
And AFAIK, any OEM can override the MS key restriction and permit a
non-MS OS on their systems. So having FSF/etc working with Linux OEMs to
get this going.
I've started talking to some of the few Linux-only OEMs. They appear to
like Secure Boot, since it drives anti-Secure Boot customers back to
their legacy BIOS-based products. Nice for short-term proficts, but dumb
long term, when they can no longer buy COTS BIOS-based mobos to build
their systems with.
So, has FSF looked at working with an IBV or a PC OEM, about doing a
proper UEFI-based system with a proper Secure Boot feature that works
with Linux?
In the meantime, we would love to receive any reports of x86 systems
purchased with Secure Boot that actually have Restricted Boot.
BTW, here's latest status from Intel UEFI w/r/t Linux, a talk from last
week's IDF:
http://uefi.blogspot.com/2013/09/uefi-at-idf13-part-2-uefi-secure-boot.html
The speaker of that talk will be at a UEFI training event at a local
hackerspace, answering questions on UEFI. If anyone has some good
questions to ask him, I'll be happy to relay.
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.
