2011/10/20 Phong Nguyen <[email protected]> > Microsoft does not control UEFI. While they are (rightfully) mandating > Secure Boot as part of the Windows 8 certification process, they are not > mandating that it remain always on. The OEM/VARs should be providing a UEFI > configuration option to disable Secure Boot. > > "At the end of the day, the customer is in control of their PC. Microsoft’s > philosophy is to provide customers with the best experience first, and allow > them to make decisions themselves. We work with our OEM ecosystem to provide > customers with this flexibility. The security that UEFI has to offer with > secure boot means that most customers will have their systems protected > against boot loader attacks. For the enthusiast who wants to run older > operating systems, the option is there to allow you to make that decision." > > > http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx >
Secure boot is simply a design mistake. Instead of giving everyone the opportunity to upload own certificates to the certificate store (like browsers do), they implemented a hard coded list of certificates so that only a few systems benefit from secure boot (the general idea of secure boot is fine). This is the problem, the root of trust is moved to the vendors instead of the owner. Unfortunately a lot of commercial interests will most likely push it to the market as it is, so the only hope will be to be able to switch it off. Regards, Thomas -- Linux ... enjoy the ride!
