[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian installation issue

[ Apologies, missed this last week... ]

tomas@tuxteam.de wrote:
>
>On Mon, Jun 14, 2021 at 09:20:52AM +0300, Andrei POPESCU wrote:
>> On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote:
>> > 
>> > Secure Boot (Microsoft's attempt to stop you from using Linux) relies on
>> > UEFI booting, and therefore this was one of the driving forces behind it,
>> > but not the *only* driving force.  If your machine doesn't use Secure Boot,
>> > don't worry about it.  It won't affect you.
>> 
>> While I'm not a fan of Microsoft:
>> 
>> https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F
>
>Quoting from there:
>
>  "Microsoft act as a Certification Authority (CA) for SB, and they will
>   sign programs on behalf of other trusted organisations so that their
>   programs will also run."
>
>Now two questions:
>
> - do you know any other alternative CA besides Microsoft who is
>   capable of effectively doing this? In a way that it'd "work"
>   with most PC vendors?

I've been in a number of discussions about this over the last few
years, particularly when talking about adding arm64 Secure Boot and
*maybe* finding somebody else to act as CA for that. There's a few
important (but probably not well-understood) aspect ofs the CA role
here:

 * the entity providing the CA needs to be stable (changing things is
   expensive and hard)
 * they need to be trustworthy - having an existing long-term business
   relationship with the OEMs is a major feature here
 * they need to be *large* - if there is a major mistake that might
   cause a problem on a lot of machines in production, the potential
   cost liability (and lawsuits) from OEMs is *huge*

There are not many companies who would fit here. Intel and AMD are
both very interested in enhancing trust and security at this kind of
level, but have competing products and ideas, for example.

> - is there any internationally legal binding of Microsoft for
>   them to provide that service in the future, in a fair and non
>   discriminatory way?

That is a question I *can't* answer as I've not seen anything
personally. But I would be shocked if agreements like that have not
been made with various vendors.

Having worked with Microsoft and a number of representatives from the
Linux distros, I *can* confirm that Microsoft care about Linux and SB
working well. Hell, they're even using SB (shim, etc.) themselves for
their own small Linux distro. That's not a *guarantee* of future
goodwill, but they're not about to break things here on a whim.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"We're the technical experts.  We were hired so that management could
 ignore our recommendations and tell us how to do our jobs."  -- Mike Andrews
Reply to: