On Sat, 23 May 2015 12:46:10 -0700 Patrick Bartek <nemomm...@gmail.com> wrote:
> On Sat, 23 May 2015, Petter Adsen wrote: > > > On Sat, 23 May 2015 09:04:55 -0700 > > Patrick Bartek <nemomm...@gmail.com> wrote: > > > I've read about that, but right now until W10 in its final form is > > > release, nobody really knows for sure. > > > > Well, yes and no. We *do* know that the status has changed from > > "mandatory" to "optional", but whether hardware manufacturers will > > actually remove the ability to turn Secure Boot off remains to be > > seen. > > Yes. I read that. Wonder what Microsoft has up its sleeve? If I were to guess, this is in preparation for at some point in the future requiring Secure Boot to be used, without the ability to turn it off. You know, "think of the children!". > Maybe, this is indicative of W10 being even more insecure than > previous Windows' OSes. Secure Boot itself is not actually such a bad idea, in some circumstances it might be nice to have a fully signed chain. IMHO. In itself, it should help to make Windows *more* secure, but this is hardly the right place for that particular discussion. Nor do I care :) > > > I have no problems with turning Secure Boot off and leaving it > > > off. It's just that I fear that in the future one won't be able > > > to turn it off. And that will really throw a wrench in the Linux > > > community. We'll see. > > > > The Linux Foundation is also examining the possibility of obtaining > > a key that can be used to sign images for distributions (free of > > charge), and there is also work being done on signing a shim that > > will launch a "real" bootloader. As the Perl people lovingly remind > > us, there's more than one way to do it :) > > Where there's a will, there's a way I suppose. Although, instead of a > patch or shim, the threat of a class action lawsuit by Linux > developers might be more effective. Hardware manufacturers will have to take into account the fact that there are a large number of people and organizations that run their machines without Windows, so I don't think there will be a lack of machines that can turn Secure Boot off in the near future. But will it become something to watch out for when buying new hardware? Most certainly, at least for a period of time. I have a sneaking suspicion that it might become a bigger problem for laptop users than for desktop users, although I'm unable to back that up. For those of us who prefer to build their own machines, I think it will be much less of a problem. The cleanest option would probably be to allow the owner of the machine to install his/her own keys in the firmware, and sign the boot image with those. And we still have legacy mode. For now. In my view, a solution for Linux that doesn't work for our BSD brethren and other people would not be good enough - we shouldn't settle for it. I remember all too well how hard it was to get Linux (or BSD, for that matter) up and running with new hardware back in the day, and I don't want a return to that state of things. There may very well be another Linus quietly tinkering away at something that might become the Next Big Thing out there, and it would be a shame if we were to limit hardware to not make that possible. I am also not sure MS really _wants_ to lock Linux/others out of the playing field. If they do, I assume the murmurs of class-action and anti-competition would rise in pitch, and someone might do something that could *really* hurt them. They really should work with the community to come up with a solution that works for everyone before someone forces them to. Petter -- "I'm ionized" "Are you sure?" "I'm positive."
pgppYMaPIKOqg.pgp
Description: OpenPGP digital signature