Re: the ghost of UEFI and Micr0$0ft
On Wed, Jun 06, 2012 at 09:56:07PM +1000, Scott Ferguson wrote:
> the only things stopping Debian from getting a key is that not many
> manufacturers would use it
They wouldn't have to: they have to trust anything signed with a private
key that MS/Versign hold, so if Debian paid the 99$ and got a bootloader
signed, it would be trusted. The manufacturers would not need to do any
> and it'd require resources to manage and maintain, something better suited to
> a commercial enterprise.
That's the big deal. Fedora seem to believe they can manage maintaining closed
and signed bootloaders, kernel and kernel modules. That would be very difficult
to achieve in Debian.
A more interesting approach might be to maintained a locked-down install image
chain which offered, as a very early installer option, to disable the secure
boot BIOS setting on your behalf. From then onwards you could run whatever you
like. Whether or not that will be generally possible, I don't know.