On 10/20/2011 08:10 AM, Tom H wrote:
On Thu, Oct 20, 2011 at 4:58 AM, Thomas Bendler
<thomas.bend...@gmail.com> wrote:
Secure boot is simply a design mistake. Instead of giving everyone the
opportunity to upload own certificates to the certificate store (like
browsers do), they implemented a hard coded list of certificates so that
only a few systems benefit from secure boot (the general idea of secure boot
is fine). This is the problem, the root of trust is moved to the vendors
instead of the owner. Unfortunately a lot of commercial interests will most
likely push it to the market as it is, so the only hope will be to be able
to switch it off.
The only intelligent post in this totally OT thread...
I respectfully disagree -- although a number of the intelligent posts
were not related to the engineering/design issues. Secure boot as being
forced by Microsoft is a deliberate design, a mistake for those of us
who want some vendor independence (market competition with
licensed-for-free, including full source distribution, variants allowed
to compete), but a profit enforcer for those whose for-profit products
are allowed to be installed as the operating environment.
The reason I posted this item -- a reason that no one has yet addressed
-- was twofold:
1. To stop the current UEFI approach so that licensed-for-fee
environments, such as Linux or BSD, can be installed on any hardware
platform. This does involve getting the community to be aware of the
problem. It does not appear at this time that there is any USA or EU
movement equivalent to the Australian approach of lawsuit to stop secure
boot -- but we may still be able to do something -- suggestions welcome.
These include demanding a way for entities such as CentOS or SL
(Fermilab/CERN) to provide acceptable certificates, albeit this would
still restrict "small" developers that would not want to pay to a
Certificate Authority.
2. To find/develop a workaround -- "the only hope will be to be able
to switch it off" will not work without possibly a way to reprogram the
UEFI replacement for the BIOS. I can provide several business/market
sector/security scenarios indicating why the hope of some motherboards
to be UEFI "open" will not address the issues. Is anyone starting to
look at workarounds?
I apologize for the firestorm -- but if UEFI as proposed is implemented,
it is likely that Linux on the desktop/laptop in the USA effectively
will cease -- only MS Windows and Mac OS X will continue, provided Apple
does not run into trouble (always an issue for a single for-profit
corporation that is not regarded as too big or vital to fail).
Yasha Karant