On Mi, 23 iun 21, 19:43:14, Richard Hector wrote: > > Is that something that needs to be done by one company? Perhaps because of > how SecureBoot is implemented? For a logistic point of view, at least for x86, Microsoft appears to be the natural choice: many mainboard manufacturers, but most hardware will end up running Windows anyway[1]. > I'd prefer to be able to add Debian's key either in addition to or instead > of Microsoft's, which could also be happily installed alongside those of > Intel, AMD, your favourite government security agency or whoever. And Debian > can get theirs signed by whichever of those they might think is appropriate. > But I want to be able to reduce that list to just Debian's, or just the > EFF's, or mine. Whatever combination I choose. In my limited understanding and experience with Secure Boot it's mostly up to the mainboard manufacturer. As far as I can tell for the ASRock board here it's possible to provide a machine owner key, possibly also to revoke all other keys. Even if it does work, I'm pretty sure 99% of home users don't actually care about any of this. [1] Yes, I'm aware there are lots of x86 Chromebooks, but those are special purpose hardware, and even there it might make sense to include Microsoft's key, just in case someone wants to attempt installing Windows on the limited storage available :D Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature