On Thu, Jan 10, 2019 at 12:59 AM Alexander Graf <ag...@suse.de> wrote: > So really dumb question here: What if we didn't use the MS key? What if > instead, we just provide a SUSE/openSUSE key and give customers the ability > to sign their own grub+Linux binaries?
Then you end up blocking install of any Linux distribution that isn't big enough to have every ARM server vendor include their keys. This is the exact reason we chose not to explore this approach on x86 - we didn't want Red Hat to have privileges that, say, Gentoo didn't. The problem is somewhat mitigated if systems are guaranteed to be shipped with Secure Boot disabled, but you then still end up encouraging vendor lock-in - it becomes difficult to migrate systems from one distribution to another without manual re-keying. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
