On 06/01/2012 01:11 PM, Sam Varshavchik wrote:
You are assuming that Microsoft will sign a bootloader with such
functionality.
I would not take that bet.
The plan is to make them sign a shim boot loader, which essentially
delegates the trust down to Fedora entirely, because they have no
control over what Fedora will make that shim load next. Fedora can
implement whatever they want after that.
And they will sign; they can't possibly review all the software that
could follow the boot loader down the chain, because it includes big
monolithic kernels, so they have to trust the people who develop the
software instead of the software itself.
Now, users who buy machines with Windows pre-installed should expect
their firmware to include Microsoft's key, and should be aware that
they can add theirs legally. If they don't want to use Windows and
don't want the trouble of setting up keys they should either:
(a) Buy from an OEM which builds machines with their OS of choice
pre-installed, including a secure boot key for it,
(b) Ask an OEM for a machine without any OS (if you install the OS
yourself then you should be responsible for installing the key as well),
(c) Fight an OEM which pre-installs Windows to add a new key, possibly
a set of keys from unbiased trust brokers that can distribute
certificates (bootloader shims) to your OS of choice to make it more
realistic.
How about buying a laptop or a PC that will boot any damn OS you want,
without all this cockamamie crap?
Well any computer *will* boot any damn OS, just add a key, or don't use
the technology. The problem here is about those users who don't know or
care about it, and who might not be comfortable generating keys,
securing them, signing boot loaders, and adding them to the firmware.
This process can be greatly streamlined, but still it won't be suitable
for everyone, and those who need secure boot the most are unfortunately
those who probably won't set it up themselves.
And if secure boot isn't enabled by default even on machines with
preinstalled OSes, then the world will gain nothing from the technology
as, again, the people feeding the zombie networks are the same who won't
care to enable it themselves.
--
t
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
