On Tue, Jul 10, 2012 at 12:04 AM, Chris Murphy <li...@colorremedies.com> wrote: > > On Jul 9, 2012, at 7:23 PM, richardvo...@gmail.com wrote: >> All >> systems ship with verification disabled, and all the major motherboard >> manufacturers have indicated that secure boot will always stay an >> opt-in mechanism. > > This is mystifying because it directly contradicts the Microsoft Windows > hardware certification requirements, which require that to get the made for > Windows 8 certification, the hardware must be UEFI, must implement Secure > Boot, must have it enabled by default (except servers), and must have a > Microsoft key included. It also requires a user chooseable option to disable > Secure Boot on x86, but not ARM.
Maybe I'm missing something, but when I read this, it doesn't say the hardware must have Secure Boot enabled by default. Rather, it must be enabled by the OEM as part of the Windows preinstallation process, so that it's enabled when it reaches the end user. System builders are still going to purchase UEFI Secure Boot-capable motherboards with Secure Boot disabled-by-default, and they will "just work" if you want to install Linux. End-users who bought pre-installed Windows will have to change the configuration option in system setup, which for someone planning to install a new OS from scratch is not a major hurdle. It will be a minor road bump for people using live-CD style media (including USB), but won't be a showstopper if the user actually has permission from the computer owner to boot the alternate media. What likely is that it will prevent unauthorized (by the owner) rebooting public computers using alternate media, but that's not exactly a valid scenario to begin with. ARM is a red herring, IMO. Pretty much all ARM processors include some sort of code security module that blocks external access to the bootloader without the correct reprogramming key. This is pretty standard for embedded systems, and has been for decades. Most embedded systems aren't designed to boot from removable media. Most tablets don't give the end user root privilege. That's a shame, and something we should work to fix, but going around telling everyone that the world will end if Microsoft gets Secure Boot onto media devices is just dishonest. Those devices have been locked down already, and the world didn't end. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
