On Sat, Mar 2, 2013 at 11:09 PM, jdow <[email protected]> wrote: > On 2013/03/02 15:18, Tom H wrote: >> On Fri, Mar 1, 2013 at 11:15 PM, jdow <[email protected]> wrote: >>> On 2013/03/01 09:26, Tom H wrote: >>>> On Thu, Feb 28, 2013 at 7:08 PM, jdow <[email protected]> wrote: >>>>> On 2013/02/28 11:56, Tom H wrote: >>>>>> On Thu, Feb 28, 2013 at 2:38 PM, Robert Blair <[email protected]> wrote: >>>>>>> On 02/28/2013 01:35 PM, Tom H wrote: >>>>>>>> >>>>>>>> I wouldn't be surprised if SB became "un-disable-able" in the next >>>>>>>> few years. We'd then have to use an MS-signed shim to boot, as is >>>>>>>> now the case with the default Fedora and Ubuntu SB setups. >>>>>>> >>>>>>> Maybe I've missed something here. If a generic "MS signed shim" is >>>>>>> available what value does this add? Wouldn't such a shim make booting >>>>>>> anything alternative possible? >>>>>> >>>>>> I'm sorry. It's not as generic as I made it look. AIUI, the shim is a >>>>>> basic stage 1 (or maybe stage 0.5) bootloader whose signature's >>>>>> validated against an MS key in the computer's ROM. Grub and the kernel >>>>>> (and its modules in Fedora's case but not in Ubuntu's) are then >>>>>> validated against a Fedora key in the shim. >>>>> >>>>> Which is the end of compiling your own code. >>>> >>>> You mean "compiling your own kernel without spending a one-time fee of >>>> USD >>>> 99." >>> >>> A difference which makes no practical difference is no difference at all. >> >> Of course there's a difference. It's grub and the kernel and its >> modules that you can't compile without signing. > > You missed the point, Tom. To a retired person a $100 bill is a serious > amount of eating that has to be traded off with it. If that cannot be > afforded without sacrifice then it might as well not exist as an option. > That is the difference that makes no practical difference. > > The Microsoft extension to the issue is essentially the locked cellphone > situation under which I could not code up any new assistive technology > for myself and use it. It becomes me paying to have Microsoft own my > device. And I'd have to pay them to use my own work on a machine I have > every right to regard as my own machine. > > If Linux is going to systematically support that kind of a model in any > way, I'm outahere.
You're "outahere" to where?! As long as you can turn off SB, you're OK using whatever you want to use. If we get to a point where we can't turn off SB on x86, you'll have to use a non-x86, non-ARM processor. I didn't consider the USD 99 because I didn't think it relevant. Compiling your own SB-compatible kernel's a luxury. Your computer isn't non-functional without doing so. Anyway, I found out today that my SB knowledge's out of date. The shim now supports MOKs (Machine Owner Keys) and is distributed with a "MokManager" program. So you can generate keys with openssl, sign your EFI binaries with them, and enroll your MOK certificate with "MokManager".
