Greg KH schrieb: > So, anyone been thinking about this? I have, and it's not pretty. > > Should I worry about this and how it affects Gentoo, or not worry about > Gentoo right now and just focus on the other issues? > > Minor details like, "do we have a 'company' that can pay Microsoft to > sign our bootloader?" is one aspect from the non-technical side that I've > been wondering about.
For the current crop of hardware, it is probably sufficient to add a paragraph to the handbook which tells the user to disable secure boot. Getting users' self-compiled boot loaders signed with a Gentoo key is probably infeasible. If you have influence on UEFI secure boot spec, you could suggest that they mandate a UI which lists all boot images known to the EFI boot manager, and the user can easily whitelist both individual loaders and the keys used to sign them. Best regards, Chí-Thanh Christopher Nguyễn