Fedora to use Microsoft-signed bootloader on EFI Secure Boot enabled hardware

Can you link where in the EFI specification it says that secureboot keys should be handled by current certificate authorities?

 

You need to register (it's free) to access these contents. http://www.uefi.org/specs/agreement

BTW, I think that a PDF file from their official Learning Center is more than enough proof that they wanted keys to be handled by their partners.

http://www.uefi.org/learning_center/ -> http://www.uefi.org/learning_center/6_-_Insyde_Plugfest_May2012.pdf

 

All very confusing, for me at least. What about non RHEL distros, especially the non mainstream ones, will they also purchase a key from MS, will Debian based distros be
sharing a key, .. and I am still not clear as to whether one will simply be able to disable secure
boot etc. etc.

Linus Torvalds on Windows 8, UEFI, and Fedora

 

I recommend you to read these:

- www.uefi.org/learning_center/

- http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

- http://mjg59.dreamwidth.org/12368.html

But it's easier for Linux fanboys to blame Microsoft for the faults of Linux, isn't it?

Overall Linux key was (is) an option. But nobody from the Linux "community" or whatever volunteered to make it real.

They lack time, they lack money. So surprising.

 

What is the point in a central Linux signing key when you would have to allow anyone to be able to sign the bootloader as Linux GPL has to allow unlimited deritives and varients.

 

Does the first stage bootloader necessarily needs to be under GPL?

 

I was referring to a central Linux signing key particiularly this bit:

Everybody and anybody who complies with GPL has equal right under Linuxs GPL licence.

To answer your question, no, Fedoras bootloader does not need to be under GPL, a distro can do what it wants and sign its own (or others) boot loaders.

 

Woah, are you trying to blame the Linux community for not starting their own CA? lol that's insane

There's a reason VeriSign is handling this.

When they say "nobody is volunteering" it's nto some laziness thing it's a matter of this costing millions of dollars that would be invested into something that doesn't exist yet. That's why they're just building it into the current CA system.

 

No I'm not. I know they don't have money neither time to invest in this, and for good reasons - I stated "so surprising" with sarcasm.

 

This is more of what I'm referring to. Microsoft implementing a system that Linux can't compete with economically is not exactly the fault of Linux.

But if it's sarcasm than all good.

 

Now I disagree. It's the fault of Linux and its community if it can't compete economically.

 

Umm, same would apply to any startup company making a proprietary OS. Microsoft is quite clearly abusing its position as the biggest desktop OS manufacturer, IMO; and the fact that there is no viable competition for Windows at the moment, does not mitigate the fact that Secure Boot is anticompetitive.\

Heck, if anything it's going to be more effective without current competition - it will mean that startups making desktop OSes will have more trouble getting off the ground.

 

It's not a step being taken by Microsoft alone. The UEFI Forum has many members and is open to new ones. IBM, for example, is one of the members - and we all know that IBM is probably the largest company backing Linux.

Microsoft is simply making sure that its new OS will be compatible with the Secure Boot feature of the UEFI Specification Version 2.3.1 . It's costing them money too.

 

Again, Secure Boot is not a feature of Windows 8.

SUPPORT to Secure Boot is a feature of Windows 8.

Secure Boot is a feature of the UEFI Specification Version 2.3.1.

This spec is being implemented by several OEMs and hardware manufacturers.

 

You don't actually believe this though right?

 

I sincerely don't see Microsoft making anything "abusive" here. IMO they are being too good subsidizing the prices of VeriSign keys. Microsoft could simply care about their own key / OS support and let the others OS makers deal with the hardware manufacturers/OEMs/etc that are part of the UEFI Forum.

As a side question, why isn't IBM helping the Linux distros with this? IBM is already in the UEFI Forum and it wouldn't cost them "much" to make some sort of overall Linux key (look how huge IBM is!).

 

It would cost them millions.

 

Yes, I suppose. IMHO, IBM could deal with it if its commitment to "GNU/Linux and its principles" was really serious.

Looks like "evil" Microsoft is doing more to these principles these days than IBM, lol.

 

Some more on this topic.

Free Software Foundation: Ubuntu's Secure Boot Plan Won't Fly

Linux Developers Step Up to the Secure Boot Challenge

 

Hopefully Google's support of Coreboot helps it get popular. It would be the ideal alternative.

 

Wouldn't standardized firmware make it easier to create standardized firmware rootkits, though?

 

May be a bigger target, but does not imply its an easier target.
That is down to how well the project is run and maintained.