LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Concur with other comments re: restricted boot

Concur with other comments re: restricted boot

Posted Jan 3, 2013 8:43 UTC (Thu) by ebirdie (subscriber, #512)
In reply to: Concur with other comments re: restricted boot by dskoll
Parent article: The H Year: 2012's Wins, Fails and Mehs

Affecting to the political will is very very unpractical mission in this context IMHO. Although I do agree it is a good mission for already established free software organizations to get people and companies aware that monopolies are bad, really bad, for their economy and wellbeing, exception where the monopoly directly feeds them, and make cases, how this particular monopoly affects in various ways. Still it is a long shot and will get heavy countermeasures, which may hold the organizations from the mission in the first place.

(Log in to post comments)

Concur with other comments re: restricted boot

Posted Jan 3, 2013 9:23 UTC (Thu) by dskoll (subscriber, #1630) [Link]

I'm more optimistic than you. This fight only has to be won in one largish jurisdiction. Imagine if a government of a medium-sized country mandated that all systems it purchases (or better, all systems sold in that country) must permit end-users to disable secure boot and/or install their own keys. We'd win everywhere because motherboard manufacturers are not going to make special-case systems for one jurisdiction, nor would they be willing to cede that market to competitors.

Yeah, there's no political will in the US, whose government is utterly dysfunctional anyway, but we should press this issue everywhere.

Concur with other comments re: restricted boot

Posted Jan 3, 2013 15:42 UTC (Thu) by andrel (subscriber, #5166) [Link]

The US federal legislature is dysfunctional. Many other branches of government within the country are not. In particular, Sacramento probably became a lot more functional after the last election.

As you say, no mobo manufacturer is going to cede the California market.

Concur with other comments re: restricted boot

Posted Jan 3, 2013 15:55 UTC (Thu) by gregkh (subscriber, #8) [Link]

Again, all x86 UEFI systems today that ship, already have the ability for a user to disable secure boot and add their own keys to the system to allow them to use secure boot with their own control.

So "mandating" this isn't really going to change anything.

Unless you really care about ARM UEFI systems, and if so, why?

Concur with other comments re: restricted boot

Posted Jan 3, 2013 16:44 UTC (Thu) by dskoll (subscriber, #1630) [Link]

So "mandating" this isn't really going to change anything.

It certainly will:

  • It will prevent Microsoft from changing the rules if it thinks it can.
  • It will punish system vendors who "accidentally" ship a "buggy" BIOS that doesn't permit users to supply their own keys or turn off Secure Boot.

Microsoft currently sets the rules, but please tell me what the penalty is for "accidentally" selling a system that only boots Windows?

Concur with other comments re: restricted boot

Posted Jan 3, 2013 17:04 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

Supposedly, their membership in the certification program is terminated. If you find any examples, let me know and we'll find out.

Concur with other comments re: restricted boot

Posted Jan 4, 2013 15:19 UTC (Fri) by dskoll (subscriber, #1630) [Link]

Well, did Lenovo fix this bug or have they just not cared?

Concur with other comments re: restricted boot

Posted Jan 4, 2013 15:29 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

That's got nothing to do with the shim approach, so it doesn't seem like what Jon's talking about.

Concur with other comments re: restricted boot

Posted Jan 4, 2013 14:34 UTC (Fri) by wookey (subscriber, #5501) [Link]

I care about ARM UEFI systems because there are going to be lots of them. Just as many as x86 one day (very probably). It's vital that people have the same rights to install the OS of their choice as on x86.

At the moment OEMs cannot let people install their own keys _and_ enable Windows to run on their hardware (right?). They shouldn't have to make that choice. OEMs and purchasers will have to choose whether they want to make/sell/buy 'ARM hardware for Windows' or 'ARM hardware for everything else'. ARM servers are general-purpose in just the same way x86 ones are (and will look almost identical from the software perspective once both are booted with UEFI). Dominent-vendor rules like these are at best very unhelpful.

Hopefully it will keep both OEMs and pruchasers away from Microsoft until they are forced to change the rules, but it could turn out to just be a massive pain for everyone.

Anyone who says 'It's OK because I can install my keys on x86 - ARM is just for devices where no-one changes the OS' is being very shortsighted.

Concur with other comments re: restricted boot

Posted Jan 4, 2013 15:41 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

Microsoft doesn't currently support anything but Windows RT on ARM, so from the server side there's no problem for at least a couple of years yet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds