Re: the ghost of UEFI and Micr0$0ft
On 06/06/2012 14:56, Jon Dowland wrote:
and it'd require resources to manage and maintain, something better suited to
a commercial enterprise.
That's the big deal. Fedora seem to believe they can manage maintaining closed
and signed bootloaders, kernel and kernel modules. That would be very difficult
to achieve in Debian.
I can see this turning into a support nightmare for Fedora when,
inevitably, some hardware or firmware comes along which (at least as an
interim measure until "official" fixes are released) requires the use of
a newer kernel and/or module, or a patch/rebuild of an existing one.
I wonder how they will cope with the likes of nvidia/ati/intel who
release their own kernel modules and installers outside of the
distribution ecosystem, which will presumably be unsigned and a lot of
people seem to use for the [potential/perceived] performance benefits.
A more interesting approach might be to maintained a locked-down install image
chain which offered, as a very early installer option, to disable the secure
boot BIOS setting on your behalf. From then onwards you could run whatever you
like. Whether or not that will be generally possible, I don't know.
I doubt there will be an easy way to disable the secure boot BIOS
setting on the users' behalf, even from a signed boot loader, as that
would just lead to malware finding a way to silently disable it to get