[ Apologies, missed this last week... ]
tomas@tuxteam.de wrote:
On Mon, Jun 14, 2021 at 09:20:52AM +0300, Andrei POPESCU wrote:
On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote:
>
> Secure Boot (Microsoft's attempt to stop you from using Linux) relies on
> UEFI booting, and therefore this was one of the driving forces behind it,
> but not the *only* driving force. If your machine doesn't use Secure Boot,
> don't worry about it. It won't affect you.
While I'm not a fan of Microsoft:
https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F
Quoting from there:
"Microsoft act as a Certification Authority (CA) for SB, and they will
sign programs on behalf of other trusted organisations so that their
programs will also run."
Now two questions:
- do you know any other alternative CA besides Microsoft who is
capable of effectively doing this? In a way that it'd "work"
with most PC vendors?
I've been in a number of discussions about this over the last few
years, particularly when talking about adding arm64 Secure Boot and
*maybe* finding somebody else to act as CA for that. There's a few
important (but probably not well-understood) aspect ofs the CA role
here:
* the entity providing the CA needs to be stable (changing things is
expensive and hard)
* they need to be trustworthy - having an existing long-term business
relationship with the OEMs is a major feature here
* they need to be *large* - if there is a major mistake that might
cause a problem on a lot of machines in production, the potential
cost liability (and lawsuits) from OEMs is *huge*
There are not many companies who would fit here. Intel and AMD are
both very interested in enhancing trust and security at this kind of
level, but have competing products and ideas, for example.