Re: the ghost of UEFI and Micr0$0ft
On Thu, Jun 07, 2012 at 09:33:45PM -0500, Christofer C. Bell wrote:
> On Thu, Jun 7, 2012 at 1:46 AM, Miles Bader <email@example.com> wrote:
> > Scott Ferguson <firstname.lastname@example.org> writes:
> >>>> You can't disable the code signing requirement on ARM.
> >>> ... which is a great deal more worrying.
> >> Yes. And no.
> >> I'd hate to see a situation where it was impossible to buy an ARM (or
> >> other CPU based board) without UEFI that can be disabled - but I support
> >> devices that can be made to *only* run signed code *provided* MS is
> >> *not* the certificate agency.
> > Would that mean anybody who wants to build their own kernel would need
> > to buy a signing key?
> Not at all. You can generate your own key and load it into your UEFI.
This is of course a major part of the problem. There are no
guarantees that you will be able to install your own keys into
your device. That's up to the UEFI implementor.
> It's no different a situation than using self-signed ssl certs
> without buying one from a certificate authority. There's no need to
> pay any money to anyone to use the secure boot feature. Is it a
> hassle? Sure, but you're not beholden to any 3rd party regardless.
If you have the ability to install your public cert, then sure.
But how many implementors will choose to provide only Microsoft's
key, and provide no facility for changing it? For ARM systems
running Windows 8, I suspect that will be most of them.
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800