User: Password:
|
|
Subscribe / Log in / New account

Implementing UEFI Secure Boot in Fedora

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 13:44 UTC (Thu) by xnox (subscriber, #63320)
Parent article: Implementing UEFI Secure Boot in Fedora

I want to sign my own bootloader with my GPG key and have a boot time web of trust back to the archive and the packages that run on my laptop.

Somehow I do not want Microsoft to effectively hold a kill switch to my hardware. Please explain, if I got it wrong.


(Log in to post comments)

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 13:52 UTC (Thu) by thumperward (guest, #34368) [Link]

As the article states, on x86 hardware the UEFI secure boot specifications require the ability to install one's own keys to be present. This is absent on ARM (where the specification does not even require the ability to disable secure boot, meaning that signed keys and only signed keys will ever work), but it's to be hoped that Microsoft's monopoly over operating systems on commodity x86 hardware never extends to commodity ARM hardware (where Linux is overwhelmingly dominant at present).

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 14:04 UTC (Thu) by cortana (subscriber, #24596) [Link]

I believe the spec is worse than this: OEMs are forbidden from allowing the user to install their own keys or disable Secure Boot entirely!

Implementing UEFI Secure Boot in Fedora

Posted May 31, 2012 14:21 UTC (Thu) by thumperward (guest, #34368) [Link]

Quite. On the other hand, it's not uncommon for non-x86 devices to be locked already, and unlockable ones are still the exception. The most popular phone and tablet in the world are not only locked, but controlled by a vendor that actively tries to re-lock devices that are unlocked.

On ARM it's almost always been the case that installing Linux has involved fiddling at least and outright cracking at most. MS legislating that one can't allow the bootloader to be unlocked makes no difference if the vendors don't currently allow that anyway.

The important use case here remains "putting a CD into an x86 system", because those are the only ones where a) Microsoft has a monopoly and b) installing Linux is never more complicated than sticking a CD in the tray and rebooting.

Implementing UEFI Secure Boot in Fedora

Posted Jun 1, 2012 16:53 UTC (Fri) by raven667 (subscriber, #5198) [Link]

Linux is much more dominant in the ARM space and while many devices are locked, most vendors also make unlocked SKUs and for some unlocked devices are the rule and not the exception. It would be good to encourage vendors making UEFI ARM devices to make an unlocked SKU without the Win8 logo at least in small runs for developers that can be sold at-cost.

Implementing UEFI Secure Boot in Fedora

Posted Jun 1, 2012 21:04 UTC (Fri) by cjwatson (subscriber, #7322) [Link]

It's not the UEFI specification that makes this requirement; it's the Windows 8 logo requirements. I think it's quite important to be careful about that distinction.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 4:57 UTC (Sat) by raven667 (subscriber, #5198) [Link]

It is good to be precise but MS is the elephant in the room, it doesn't matter what the specification says, it matters what the MS implementation does because that is the de-facto standard, at least in markets they dominate.

Implementing UEFI Secure Boot in Fedora

Posted Jun 2, 2012 8:59 UTC (Sat) by cjwatson (subscriber, #7322) [Link]

Sure - I just think that we do ourselves a disservice by not making it clear when something is due to Microsoft's requirements rather than due to the standard. Standards (however much influenced by corporate interests) are a powerful force in many people's views, and one often needs a good reason to diverge from them; so let's not invest Microsoft's policy with the further force of standards for them, when in fact in this case the standard doesn't specify a particular policy.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds