-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Jan 29, 2016 at 09:49:58AM +0000, Darac Marjal wrote:
[...] > Where the FUD comes from is that *some* UEFI implementors only allow > the firmware to store one secure-boot key. This is where the > problems come, if you want to dual-boot Windows and Linux. Namely > that, because you can't change the key Windows uses, you have to > sign Linux with Microsoft's key, or else do without secure boot. Whether it's FUD or not will depend on the practical situation. Roughly speaking, I can see three levels of brokenness: (0) User can install keys issued by herself besides the factory provided ones (probably signed by Microsoft). Things work as they're supposed to -- user is responsible for her self-installed OS. (1) User can install a self-provided key, evicting the one provided by the factory: either you have a bootable Windows, or if you want anything else, you lose the bootable Windows (2) User can't install anything. Note that (AFAIK) this is the situation "outside" classical PCs, per Microsoft specification Now what's the practical situation? If most boards fall in categories (2) and (3), then the moniker "FUD" you apply above is inappropriate. Secure boot has practically lead to cementing Microsoft's monopoly (because implementors are lazy, or because they get bribed by Microsoft behind the scenes[1] or just because, it doesn't matter). And the workaround of taking a shim to be signed by Microsoft to allow booting free OSes is just ugly icing on an already ugly cake. So the question is: in which categories does currently available hardware fall? regards [1] Conspiracy you say? Need any known, prior examples of that behaviour? - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlarOzUACgkQBcgs9XrR2kZjwwCePQQnGbNgJtjNX5JGTfN2yQxv dtAAmwWYLL6HBgkpmP1P9MQpiWdxRi1n =6mWj -----END PGP SIGNATURE-----