[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EFI in Debian

On Fri, Jul 06, 2012 at 05:32:44AM +0100, Ben Hutchings wrote:
> 2. Upstream kernel support: when booted in Secure Boot mode, Linux would
> only load signed kernel modules and disable the various debug interfaces
> that allow code injection.  I'm aware that David Howells, Matthew
> Garrett and others are working on this.

Matthew Garret believes that this is a requirement; however, there is
no documented paper trail indicating that this is actually necessary.
There are those who believe that Microsoft wouldn't dare revoke a
Linux key because of the antitrust issues that would arise.

This would especially true if the bootloader displayed a spash screen
with a huge penguin on it, and the user was obliged to hit a key
acknowledging the spash screen before the boot was allowed to
continue.  James is working on a signed bootloader which would do

It's not even obvious that the spash screen is needed, BTW.  Canonical
is not using a splash screen and is not signing the kernel or kernel
modules.  It will be *very* interesting if Microsoft dares to revoke
Canonical's certificate, or refuse to issue a certificate.  I'm sure
there are developers in Europe who would be delighted to call this to
the attention of the European Anti-Trust regulators --- you know, the
ones who have already fined Microsoft to the tune of 860 million Euros
($1.1 billion USD).

So personally, I would hope that at least some distributions will
patch out the splash screen, and apply for a certificate.  If we have
multiple distributions using different signing policies and slightly
different approaches (which is the beauty of free/open source boot
loaders; everyone can tweak things slightly), we can see how Microsoft
will react.

It should be entertaining....

					- Ted

Reply to: