I'm not really understanding the concern, at least on PC architecture systems... It's mandatory to allow disabling secure boot in order to receive certification, so how is this a threat to Linux?

While, on one hand, I do not trust MS,... "Bricking" other OSes, by revoking keys from Linux Distros would be a really good way to find themselves back in Court as a defendant in another anti-trust action,... again.

I look at them lording over this as a way for them to reinvent themselves as a service company, rather than a software company ...

Unless I'm missing something, this is a contractual issue and not a technical issue.

Seems to me the entire debate is the Microsoft folks won't certify a Windows 8 computer unless that system uses UEFI and a Microsoft platform key in the secure boot process. Final result: a nice little sticker on the computer. No certification, no nice little sticker.

The same computer model can be sold without Windows 8 certification. No hardware vendor is required to certify all systems as such. Hardware vendors also are not required to use UEFI. They can use the older BIOS --- unless they want that nice little sticker.

Computers not certified for Windows 8 do not have to have secure boot enabled and do not have to have UEFI installed.

The terms of a Windows 8 licensing contract might require vendors to sell only certified systems, but that is a contractual issue, not technical. If the folks at large hardware companies such as Dell can't negotiate contracts to allow them to sell their hardware as they please, then that is their tough luck. Folks managing hardware companies that are not codependent upon Microsoft/Windows 8 likely will see an increase in sales as people not needing Windows 8 certification buy their products.

Stand-alone motherboards sold through retailers do not need and are unlikely to be sold with secure boot protected with a Microsoft Windows8 platform key. People who build their own systems won't be affected.

UEFI does not require secure boot to be enabled, but only supports the capability. A UEFI computer not certified to run Windows 8 and with secure boot not enabled should be able to run any Linux based system.

People who want to dual boot using a preinstalled Windows 8 certified computer might feel up the creek without a paddle, but otherwise I'm not seeing a problem. Just don't buy a Windows 8 certified computer. Don't buy a computer that has secure boot enabled with a platform key owned by people not supporting Linux based systems.

But they can have UEFI firmware with Secure Boot enabled, but without the option to disable it. It is mandatory to have a disable option to get the certificate.

You can be pretty sure that many mainboards will come with UEFI and Secure Boot. Many smaller and mid-size OEMs are not using custom-built mainboards, but mainstream hardware and they want to have the option to sell Windows 8 certified hardware. The mainboard manufacturers will also want to sell certified hardware.

In my eyes misleading advice. Again, mainboards/computers without the certificate can have UEFI with Secure Boot enabled without the option to disable it. This option is mandatory on hardware with certificate.

Okay, when buying a motherboard from Amazon or Newegg, buy one that is not Windows 8 certified. If a motherboard has UEFI and has secure boot enabled but is not Windows 8 certified, then whose key is active? A Windows 8 certification answers the question, but a motherboard without that certification? I don't see how such a board would have secure boot enabled. By whom?

Hmm, ok, well that being the case, how could they market a board like that? Something like that would probably get the crappiest ratings imaginable. (People buying motherboards are usually geeks anyway.)

I don't see a business incentive to force secure boot without the ability to disable.

Are you sure about that? If would go against MS's commercial intrest.

If I had to make a viable plan for world domination it would look like this:

(a) make Windows start only on UEFI/SB systems
(b) stipulate in the UEFI/SB specification that there must not be an option to disable SB
(c) enforce the UEFI/SB specification through legal measures

The result: you won't be able to buy hardware able to run anything other than Windows.

As long as secure boot can be turned off, distro diversity will be maintained. I think it's clearly an attempt by M$ to kill Linux.

This has been my policy for the last eleven years. Do not (ever) trust Microsoft. And do not (ever) use their software. Over the past years, this company has done repeatedly about all that can be done to earn my mistrust.

Having the key in the firmware and having the certificate is not in any way related. You can be sure that Microsoft will not be angry if there are mainboards that effectively lock out other OSes. They would prefer if any mainboard would do that, but for legal reasons they can't do that. You know, anti-trust and such things. They will not hesitate to give manufacturers the key, even if they don't go for the certificate.
But if you buy a mainboard/PC with certificate you can be sure that there will be options to disable Secure Boot and to manage keys, which means you can delete Microsoft's keys and you can add your own custom keys.

Most mainboards are not bought by the private person, they are bought by small and midrange OEMs. These OEMs don't use custom mainboards, they use mainstream mainboards. You can also be sure that a mainboard without certificate will be at least a little bit cheaper than those with certificate. Since the most OEMs sell their systems with Windows pre-installed anyways they couldn't care less about those options.

Yes I am sure. No offense meant, but I wonder why people don't actually read what Microsofts requirements are: http://msdn.microsoft.com/en-us/libr...dware/jj128256
For this topic relevant are the points 17 (key management) and 18 (disabling Secure Boot) in the paragraph System.Fundamentals.Firmware.UEFISecureBoot
Here the relevant excerpt from paragraph 18: That is the reason why I recommend always to buy mainboards with the certificate, so you can be sure that you have options to manage keys and disable Secure Boot, options that don't have to be implemented on mainboards without the certificate.
Microsoft would be sued to hell in the EU and I think even in the US of A they would see another anti-trust lawsuit.

In the EU, yes. In the US, maybe, but M$ will win.

wrong again, John
 

meaning me.
I would [unsolve] this post if there were a method.
First and foremost: I still believe that business' will develop a method to poll your computer that all financial transactions have secure boot enabled and operating. If they don't develop said method, some 'hot shot class action lawyer' or 'insurance provider' will declare that this business method does not do all it can to protect its user's financial transactions. Liability and blacklist enabled.
Secondly further reading in the comments section by mjg8, he states his shim is signed by MS. Unlike Tobi I believe any key issued by anyone can also be revoked by that entity.

To quote George Ure "Everything is a business plan"
So I am still undecided, do I build my next system with a UEFI Bios with secure boot or not? I have not had an MS system in my home since about 1998 (Win95). I do run a KVM (WinXp-VM) to access my wife's bank which polls the OS and sends you to a "We are having problems, please try again later" page if it does not get the expected answer. I have tried browser spoofing. It doesn't work at this bank. Will your bride change her favorite bank where her friend works for you?
To quote President o'bama "this is above my pay grade"
Apparently I will need to do much more RTFM'ing
Thanks to everyone for their opinion.
Also hope to hear more advice.
John

From the link to LWN you gave in a previous post:So if you don't use Microsoft software (which means you don't have the needed private key) or software provided by the boards manufacturer (which is pretty unusual on Linux, since they only provide Windows software) they can't revoke your keys.
But even if they do: If you have a Windows certified mainboard just disable Secure Boot or add your own keys.

And as I said, then I lose the advantage of secure boot. I would like to participate in the secure boot environment if it helps secure communications. I believe at some point financial institutions will require it. I am just looking for a way to do it without needing MicroSoft's keys or permission, if that can be accomplished with my own keys as you seem to indicate that suits me fine.
Not trying to be argumentative about it. Just looking for a way out.
Also trying to decide how to build my next system. Thinking if UEFI/SB is a bad thing for Slackware, I better snag an old bios super motherboard before they all disappear. Otherwise I can just wait until I really need a new system. Right now I have 2 working desktops vintage 1996 (actually has 3-1/2 and 5-1/4 onboard floppies and a 8" external) and a generic Dell 2007. They both are pretty solid for desktop use and some hobby programming.
Thanks
John

When they remove the option to disable secure boot (like on ARM), then you can mad rush to get the old mobos ... but I think they've planned for that too.