-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jan 29, 2016 at 09:49:58AM +0000, Darac Marjal wrote:
[...]
> Where the FUD comes from is that *some* UEFI implementors only allow
> the firmware to store one secure-boot key. This is where the
> problems come, if you want to dual-boot Windows and Linux. Namely
> that, because you can't change the key Windows uses, you have to
> sign Linux with Microsoft's key, or else do without secure boot.
Whether it's FUD or not will depend on the practical situation.
Roughly speaking, I can see three levels of brokenness:
(0) User can install keys issued by herself besides the
factory provided ones (probably signed by Microsoft).
Things work as they're supposed to -- user is responsible
for her self-installed OS.
(1) User can install a self-provided key, evicting the one
provided by the factory: either you have a bootable
Windows, or if you want anything else, you lose the
bootable Windows
(2) User can't install anything. Note that (AFAIK) this is
the situation "outside" classical PCs, per Microsoft
specification
Now what's the practical situation? If most boards fall in
categories (2) and (3), then the moniker "FUD" you apply above
is inappropriate. Secure boot has practically lead to cementing
Microsoft's monopoly (because implementors are lazy, or because
they get bribed by Microsoft behind the scenes[1] or just because,
it doesn't matter).
And the workaround of taking a shim to be signed by Microsoft
to allow booting free OSes is just ugly icing on an already
ugly cake.
So the question is: in which categories does currently
available hardware fall?
regards
[1] Conspiracy you say? Need any known, prior examples of that
behaviour?
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlarOzUACgkQBcgs9XrR2kZjwwCePQQnGbNgJtjNX5JGTfN2yQxv
dtAAmwWYLL6HBgkpmP1P9MQpiWdxRi1n
=6mWj
-----END PGP SIGNATURE-----
