[Linux-aus] UEFI Secure Boot - Precis of List Comments and proposals

John Ferlito johnf at inodes.org
Tue Aug 7 10:00:52 EST 2012

On Mon, Aug 06, 2012 at 09:33:05PM +1000, Brent Wallis wrote:
> IMHO, the first step in what will probably be a very long road is to find
> out what Hardware Manufacturers are going to do with UEFI.
> Specifically, we need to find out about how they plan to implement key
> control
> and
> How easy it will be for authorised users to implement options 2 and 3.

I think this is actually the key issue and what we should be
concentrating on.

As currently implemented technically UEFI has bugs etc but that stuff
will go away over time. The key issue is lockout and that's what I
think we need to address the most. Another thing in it's favour is it
is the least complicated message to get across as it is for the most
part the least technical.

The issues as I see it for OEMS

- What keys will go in the BIOS by default
- Can I disable Secure boot
- Can a prompt appear to ask me to add a key if the one in the boot
  loader isn't recognised
- Can I as a user add my own keys

There was a proposal at one stage to have the BIOS check if you were
booting from a CD and then if the CD had a new key ask the user if they
wanted to add it. I'm not sure how far that got.

Maybe the place to start is to craft a letter to send OEMs to find out
what they are doing.

The other key part that we need to not overlook is ARM. While for x86
the Windows 8 spec allows OEMS to have other keys on ARM only the
Microsoft key is allowed to exist (at least last time I looked, this
probably needs more research). So we need some sort of comment about
that as well.


Blog                             http://www.inodes.org
LCA2012                          http://lcaunderthestars.org.au

More information about the linux-aus mailing list