"Since when does Secure Boot require Microsoft's approval? That sounds like a
version of Restricted Boot."
This is too simplistic of a view. Allow me to explain then. I'll copy various
things from Matthew Garrett's blog at https://mjg59.dreamwidth.org here.
Starting from scratch...
"Secure Boot means different things to different people. I think the FSF's
definition is a useful one - Secure Boot is any boot validation scheme in
which ultimate control is in the hands of the owner of the device, while
Restricted Boot is any boot validation scheme in which ultimate control is in
the hands of a third party. What Microsoft require for x86 Windows 8 devices
falls into the category of Secure Boot - assuming that OEMs conform to
Microsoft's requirements, the user must be able to both disable Secure Boot
entirely and also leave Secure Boot enabled, but with their own choice of
trusted keys and binaries. If the FSF set up a signing service to sign
operating systems that met all of their criteria for freeness, Microsoft's
requirements would permit an end user to configure their system such that it
refused to run non-free software. My system is configured to trust things
shipped by Fedora or built locally by me, a decision that I can make because
Microsoft require that OEMs support it. Any system that meets Microsoft's
requirements is a system that respects the freedom of the computer owner to
choose how restrictive their computer's boot policy is.
This isn't to say that it's ideal. The lack of any common UI or key format
between hardware vendors makes it difficult for OS vendors to document the
steps users must take to assert this freedom."
So keep in mind that, even with Secure Boot where people can tell their
computer what keys are to be trusted, there is no common UI or key format
between hardware vendors. So even though people ***can*** revoke keys and use
their own trusted keys the lack of standardization in how it's done creates
problems with making documentation. Sure: The Trisquel Project might create a
key on their own and then tell people to go and revoke the keys that came
with their computer and enroll the Trisquel key. But the lack of
standardization means we can't tell people exactly *how* to go do that.
They'll need to check the documentation that came with the computer. Or maybe
with whoever made the computer. Anyway, if Trisquel made a key it needs to
get into the computer somehow. Having people revoke the keys that came with
the computer and enroll new keys adds an extra layer during the install
process which might turn people off. Making free software seem "hard",
especially with no standard process from one computer to another. Making it
harder for people to move to free software doesn't seem good. This is problem
#1. But a lack of a standard process between computers doesn't make it
Restricted Boot because people still *can* do it. They just have to follow
their docs.
More from Matthew...
"Most hardware you'll be able to buy towards the end of the year will be
Windows 8 certified. That means that it'll be carrying a set of secure boot
keys, and if it comes with Windows 8 pre-installed then secure boot will be
enabled by default. This set of keys isn't absolutely fixed and will probably
vary between manufacturers, but anything with a Windows logo will carry the
Microsoft key. We explored the possibility of producing a Fedora key and
encouraging hardware vendors to incorporate it, but turned it down for a
couple of reasons. First, while we had a surprisingly positive response from
the vendors, there was no realistic chance that we could get all of them to
carry it. That would mean going back to the bad old days of scouring
compatibility lists before buying hardware, and that's fundamentally
user-hostile."
So we're back to talking to making things easy to use. Okay; so you've got a
process where people can enroll and remove keys that are to be trusted (even
though there's no standard process for how to do that; so people will need to
figure out how to do that on their own... go back to problem #1.) But; most
of these computers will come with Microsoft's key pre-installed already. So
hmmm... Maybe there's a way to use that to make Secure Boot easier for
people. Since the computer comes with Microsoft's key already loaded (even if
it can be removed) you can pay $99 to get YOUR stuff signed too. Then, since
the chain of key signing trust goes from the Microsoft key to all the way to
yours, then *POOF* the distro's stuff is automatically trusted out of the box
and people don't have to go do whatever process their computer uses to enroll
Trisquel's key first.
So perhaps when I said "requires" was too strong a word. Perhaps I should
have said "to do it in an easy and user-friendly way" would have been better.
But it's still Secure Boot because the computer ***can*** still be configured
with what keys to trust, even if there's no standard way for how that's done
from vendor to vendor.
Hopefully this explains how Microsoft can still be involved in Secure Boot.
It's a way to make Secure Boot work in an easy and user-friendly way since
their key will probably be ubiquitous. Meaning people can just insert the
CD/DVD/USB/whatever and boot and have it be trusted by the computer out of
the box and not have to deal with first going and enrolling the Trisquel key
(and maybe even removing Microsoft's if they wanted.)
