Re: the ghost of UEFI and Micr0$0ft
On Wed, Jun 06, 2012 at 03:40:13PM +0100, Laurence Hurst wrote:
> I can see this turning into a support nightmare for Fedora when,
> inevitably, some hardware or firmware comes along which (at least as
> an interim measure until "official" fixes are released) requires the
> use of a newer kernel and/or module, or a patch/rebuild of an
> existing one.
> I wonder how they will cope with the likes of nvidia/ati/intel who
> release their own kernel modules and installers outside of the
> distribution ecosystem, which will presumably be unsigned and a lot
> of people seem to use for the [potential/perceived] performance
In both cases, probably "disable secure boot".
> I doubt there will be an easy way to disable the secure boot BIOS
> setting on the users' behalf, even from a signed boot loader, as
> that would just lead to malware finding a way to silently disable it
> to get around it.
Said malware would need to have direct BIOS access and thus be executed
from a 'trusted' environment. 'Trusted' environments should disable
direct hardware access except for signed components. The question is
whether having a program which *intended* to do it for you could be
signed and whether this would pass whatever requirements you are accepting
when you hand over the 99$.