On Wed, Jul 15, 2015 at 09:45:25AM +0900, Joel Rees wrote: > Last I heard, debian was not participating in any of the initiatives > to get officially microsoft-signed signatures for kernels. I've been > out of the community for a few months, so I haven't kept up with this, > but quick searches don't reveal a change in policy. Not tried it myself, but there is a blog post here[1] showing someone's method for getting Debian to boot from secure boot. As I understand secure boot, the spec states that the firmware SHOULD allow the user to load multiple keys in, so that a microsoft key can be used to verify Windows and a user-generated key can be used to load Debian. The problem that the shim (et al) are trying to solve is that some manufacturers took that "SHOULD" as a "don't really need to", and their firmware only ships with the microsoft key and no way to load a second key in. So you either have to provide a boot-loader which can load Linux and Windows which is signed by that key, or replace the key and break Windows. This, at least, was the case with Windows 8. I believe that, when Windows 10 comes out, microsoft are proposing that certain platforms DO NOT allow changing of the key. However, for the moment, most people who have UEFI SHOULD be able to secure boot both Linux and Windows, if they're willing to do the leg work. [1] https://burtness.wordpress.com/2014/02/08/secure-boot-with-debian-testing/ > > (And I am definitely not arguing for a change in policy, for anyone > who might misread me.) > > I have a netbook that allows secure boot to be disabled. As long as I > don't need to boot MSWindows, I just disable secure boot. (I don't > perceive any real advantage in Microsoft's implementation, anyway.) > > But I have some work coming up that requires dual-booting MSWindows, > and I also might want to use debian (rather than Ubuntu or Fedora) as > a host for developing for Android. > > (I am able to boot openbsd from an outboard USB3 drive and keep it > running long enough to build a snapshot release. That's roughly a day, > plus or minus a few hours. So I have one good option. But I'd really > prefer not to spend too much time running the OS itself from an > outboard device whose connection can slip or get noisy from oxidation > so easily.) > > So, I'd like to ask those who for whatever reason dual-boot debian > with MSWindows on a modern MSW8/10 compliant box, what do you do about > keys? > > And I'm also interested in war stories relative to (dual) booting from > GPT partitions. > > -- > Joel Rees > > Be careful when you look at conspiracy. > Arm yourself with knowledge of yourself, as well: > http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: [🔎] CAAr43iMY0zXtHDQ+OktLBkU63bGkS6iESuCi+Eo3oTTUTemmYQ@mail.gmail.com">https://lists.debian.org/[🔎] CAAr43iMY0zXtHDQ+OktLBkU63bGkS6iESuCi+Eo3oTTUTemmYQ@mail.gmail.com > -- For more information, please reread.
Attachment:
signature.asc
Description: Digital signature