Chris Murphy wrote:
> This is such an old argument. I know you've been around in Fedora long
> enough to actually understand this stuff if you really wanted to at
> least not spread misinformation.
I do not see how I am spreading misinformation. I think you are
misunderstanding me. I do not intend to blame Microsoft for all the issues
with the Secure Boot spec, they are only the monopoly for the signature of
the initial bootloader. See my reply to Neal Gompa.
> Microsoft does not approve or disapprove of operating systems. They
> have an EFI signing program for developers. They are signing just our
> shim bootloader. Fedora signs the other things in the boot chain.
Where have I claimed anything else? The fact is still that the requirement
for Microsoft to sign the initial bootloader gives them veto power over any
operating system running on users' computers.
And that is the one and only flaw (out of several) in the spec in which
Microsoft is involved. The remaining issues are inherent to the spec itself.
> Anyone can enroll their own signing keys with the firmware, sign the
> bootloader, kernel and kernel modules, including 3rd party. You can
> even mix and match signed binaries. And those binaries will comply
> with a Secure Boot enabled system just fine, without having Microsoft
> signatures on anything. Yes that's tedious and it would be better if
> it were easier than it is right now.
While I appreciate that the shim developers introduced this workaround
(IIRC, it actually comes from openSUSE developers, not Fedora or Red Hat
developers), this is absolutely impractical compared to just disabling the
restrictions altogether.
> Windows supports hibernation, with UEFI Secure Boot enabled. We don't
> because Linux hibernation images are inherently insecure by design and
> thus are a loophole for thwarting the Secure Boot regime.
I do not want my computer to impose a regime on me. I want to decide what I
run on my own computer, I do not want my computer to decide for me. Say no
to Treacherous Computing!
> Therefore a kernel lockdown policy is applied to disallow hibernation if
> Secure Boot is enabled. It can be fixed, but the resources to finish that
> work have not yet materialized.
Even that will still not fix the other restrictions inherently caused by
this security regime.
> Literally none of this is Microsoft's fault.
I have never claimed otherwise.
> And rootkits predate UEFI.
Yet, we were running just fine all these times without something like
"Secure Boot".
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
