Linked by Thom Holwerda on Thu 31st May 2012 11:11 UTC
Fedora Core "Fedora 18 will be released at around the same time as Windows 8, and as previously discussed all Windows 8 hardware will be shipping with secure boot enabled by default. [...] We've been working on a plan for dealing with this. It's not ideal, but of all the approaches we've examined we feel that this one offers the best balance between letting users install Fedora while still permitting user freedom." Wait for it... "Our first stage bootloader will be signed with a Microsoft key."
Thread beginning with comment 520157
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

orestes,

"I don't personally take issue with the nominal fee, but I do feel there should be a choice of trusted key signers available instead of giving MS another defacto monopoly. Get Verisign or IBM or someone else sufficiently big and 'trustworthy' involved as a neutral party."


I think the owner should be the defacto root of trust.

Reply Parent Score: 2

orestes Member since:
2005-07-06

It should be an option yes, but MS is at least correct in that doing things this way will lead to more secure systems overall.

Reply Parent Score: 2

UltraZelda64 Member since:
2006-12-05

Bullshit. More secure systems would be those that are running any operating system system NOT developed by Microsoft... and which are unplugged from the AC outlet 99.9% of the time.

Edited 2012-06-01 06:23 UTC

Reply Parent Score: 1

bhtooefr Member since:
2009-02-19

The problem is the number of owners that are complete morons.

I'd say that there needs to be a jumper inside the case for allowing addition of authorized secure boot certificates. Pain in the ass, but it keeps the idiots that will answer "yes" to everything out, while letting the people that know what they're doing in.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

bhtooefr,

"I'd say that there needs to be a jumper inside the case for allowing addition of authorized secure boot certificates. Pain in the ass, but it keeps the idiots that will answer 'yes' to everything out, while letting the people that know what they're doing in."

I'd find it to be one of many acceptable solutions. A physical jumper could reset the mainboard to it's original "setup mode" (as defined in the UEFI specification). This way the system returns to a clean state as before it was loaded with microsoft's key. In this mode the system would be ready to accept the user's own keys.

See the following sections for how UEFI "setup mode" works:
27.5 Firmware/OS Key Exchange: creating trust relationships
27.5.2 Clearing The Platform Key (Edit: the spec offers no mechanisms for owners to clear a 3rd party key)


There is no shortage of solutions that are superior to microsoft's, but unfortunately microsoft is in a position to dictate hardware standards and independent developers are not.

Edited 2012-06-01 02:06 UTC

Reply Parent Score: 2