Fedora, secure boot, and an insecure future
Posted Jun 7, 2012 10:03 UTC (Thu) by neiljerram
In reply to: Fedora, secure boot, and an insecure future
Parent article: Fedora, secure boot, and an insecure future
2) Additionally the article didn't touch on it, but hopefully there will be documentation and tools to allow any Fedora user to sign their own stuff. This way you could enable Secure Boot, but not use only your own keys signing your own bootloader shim/grub2/kernel. These tools and docs will of course be free and open.
How can that make sense? My understanding of Matthew's proposal is that
- the kernel, being the software with direct access to the hardware, needs to be controlled, so that it can't do things to the hardware that might attack or subvert Windows or the boot system
- if RH didn't (intentionally or by mistake) provide that control, the ultimate result would be RH's bootloader key being revoked, and then no RH systems would boot ever again.
Given those points, how can any RH/Fedora user be allowed to build and sign their own modified kernel, to be booted from the secure boot chain?
Personally, I just don't see what's hard about finding and toggling the BIOS secure boot setting. And to the extent that working with any of this is hard, I think better for that to create pressure on manufacturers to provide non-Windows-8-logo hardware.
to post comments)