Re: EFI in Debian
On Fri, Jul 06, 2012 at 05:32:44AM +0100, Ben Hutchings wrote:
> 2. Upstream kernel support: when booted in Secure Boot mode, Linux would
> only load signed kernel modules and disable the various debug interfaces
> that allow code injection. I'm aware that David Howells, Matthew
> Garrett and others are working on this.
Matthew Garret believes that this is a requirement; however, there is
no documented paper trail indicating that this is actually necessary.
There are those who believe that Microsoft wouldn't dare revoke a
Linux key because of the antitrust issues that would arise.
This would especially true if the bootloader displayed a spash screen
with a huge penguin on it, and the user was obliged to hit a key
acknowledging the spash screen before the boot was allowed to
continue. James is working on a signed bootloader which would do
It's not even obvious that the spash screen is needed, BTW. Canonical
is not using a splash screen and is not signing the kernel or kernel
modules. It will be *very* interesting if Microsoft dares to revoke
Canonical's certificate, or refuse to issue a certificate. I'm sure
there are developers in Europe who would be delighted to call this to
the attention of the European Anti-Trust regulators --- you know, the
ones who have already fined Microsoft to the tune of 860 million Euros
($1.1 billion USD).
So personally, I would hope that at least some distributions will
patch out the splash screen, and apply for a certificate. If we have
multiple distributions using different signing policies and slightly
different approaches (which is the beauty of free/open source boot
loaders; everyone can tweak things slightly), we can see how Microsoft
It should be entertaining....