2011/10/25 Amit Aronovitch <aronovi...@gmail.com>: >> I didn't follow the detail but a few weeks ago this made a noise on >> Slashdot and as far as I'm aware Microsoft issued a statement which >> calmed down the activists and it became a none-issue. I didn't follow >> it closely so I might be wrong. >> > > Can you help locating the MS statement that you describe?
I was not the one who "described" it but I believe this is the statement in question: http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx Some quotes: "Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components" "Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows" This does not really mean much to me. As far as I can decipher the really problematic piece is the bootloader (e.g., grub for our purposes). The statements above say, if the FW vendor allows disabling the security feature it's up to you, it you want to use grub and Linux we are fine with that. What they do not say is, e.g., if you disable the FW security layer you will not be able to boot Windows 8 from unsigned grub. They do not say how one would go about signing grub (see the RedHat guy's post for details of the problem). I miss lots of things in the debate that I've seen discussed nowhere. E.g., if I disable FW security layer and use unsigned grub to boot Linux, will I be able to run Windows 8 in a VM on top of that Linux? Will hypervisor vendors (including hosted hypervisors) have to include new "security" components that would verify all the layers below to run a Windows 8 guest (nested virtualization will be so much more fun, eh?)? WIll security be checked only at OS boot? Will it be impossible to live-migrate a Windows 8 VM between physical servers with different security settings (sounds like a lot of work for VMware VirtualCenter and other products like that). Ditto for enterprise level provisioning and/or scheduling systems that match images (of physical or virtual systems) with HW resources. Ditto for "orchestration" products that reshuffle resources to optimize whatever and heal other stuff and add capacity on demand etc., etc., etc. All those will have to take additional parameters into account (and do more work, e.g., reconfigure FW on the fly, adding to provisioning complexity and time), otherwise things won't boot. However, the discussion below the blog I linked to above seems to indicate that MS may not be as evil as we give them credit to be: Q. [W]ill Windows 8 be usable on systems which have secure boot disabled for compatibility questions? A. Of course Windows is usable without secure boot -- just like the post stated. I did not find this statement in the blog, but I could have missed it. As far as I understand the blog post was written by a different person(Tony Mangefeste) than the blog owner (Steven Sinofsky), and the answer I quoted above is from the blog owner. So I am not 100% sure that the security option can be turned off in Windows 8. -- Oleg Goldshmidt | p...@goldshmidt.org _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il