On Fri, Jul 29, 2022 at 01:52:28PM +0200, Florian Weimer wrote: > * Daniel P. Berrangé: > > >> Unfortunately, Fedora promoted this broken model with pervasive > >> cross-distribution/cross-OS trust as well. People are generally quick > >> to criticize those who control a PKI, but very few organizations are > >> willing to step up to hold the key material for the key of last resort > >> because of the risk inherent to that. Consequently, pretty much all > >> distributions hide behind the Microsoft key, instead of running their > >> own PKI and working with OEMs to get it accepted by the firmware. > > > > Would the situation actually be any different in that case ? Assume > > an alternate reality where hardware OEMs magically agreed to pre-install > > 20 different keys for the various Linux vendors. > > > > You still have the same "problem" that you're running 1 specific vendor's > > OS, but your firmware trusts the software from countless different > > unrelated vendors for SecureBoot. > > No, in this model, if you buy a Fedora server, it only boots Fedora > until manual intervention. I don't think this is a problem because > Secure Boot with that very open signing policy is not very far from > disabled Secure Boot.
Ah, so you mean getting the OEMs to preload the Linux OS distro of choice, not merely preloading a distro's SecureBoot keys. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
