UEFI Secure Boot

[jb]

Mike Jeays <mike.jeays <at> rogers.com> writes:

> 
> On Tue, 9 Jul 2013 02:31:40 +0200
> Polytropon <freebsd <at> edvax.de> wrote:
> 
> > On Mon, 8 Jul 2013 16:21:28 +0000 (UTC), jb wrote:
> > > I hope FreeBSD (and other OSs) luminaries, devs and users will find
> > > a way not to harm themselves.
> > 
> > A massive problem I (personally) have is that with Restricted Boot
> > (this is what "Secure Boot" basically is) you are no longer able
> > to _ignore_ MICROS~1 and their products. A restrictive boot loader
> > mechanism that requires signed and confirmed keys, handled by a
> > major offender of free decisions and a healthy market - no thanks.
> > What prevents MICROS~1 from revoking keys of a possible competitor?
> > Or from messing with the specs just that things start breaking?
> > ... 
> If I have understood correctly, it is quite easy to disable secure boot on
> most current machines; it is just an option in the UEFI setup.
> 
> The real danger is machines where it cannot be disabled. This includes
> some recent HP machines; whether by design or incompetence I cannot say.

As readers on distrowatch.com put it regarding Secure Boot:

"Secure Boot can be turned off completely or, custom mode entered and other
keys added if so desired thus avoiding the need to deal with Microsoft.
Although it does add extra steps to installing a Linux or BSD system it's
not that difficult to deal with and Secure Boot is part of the UEFI
specifications, not Microsoft's."

"In some cases Secure Boot CANNOT be turned off completely, and in other
cases Secure Boot may be desired. In theses cases, an independent authority
should be signing the key, NOT Microsoft. We shouldn't have to forgo
the use of Secure Boot to avoid dealing with Microsoft.

"It deeply disturbs me that Linux and BSD projects must grovel before
Microsoft to get their key signed to be allowed to install their OS. Why
should MS have such power? There should be an independent entity to handle
this."

jb