I wonder how long it will take that we have at least 5 mindless petitions against this.

I just saw this thread
http://www.linuxquestions.org/questi...e-boot-947769/

Another relevant link
http://blogs.msdn.com/b/b8/archive/2...with-uefi.aspx

and all the pundits said that the manufactures would NOT SHOOT themselves in the head by implementing this WITHOUT an easy way to disable it .It looks like they were a bit off


well -- our new overlords

" We are the Microsoft ,we will add your technological distinctiveness to our own. Your culture will adapt to service us. Resistance is futile, you will be assimilated "

In which way does this indicate that the hardware manufacturers will not implement the option to disable Secure Boot?
I also can't see how this is related to Microsoft, except that Red Hat has bought the Microsoft key from Verisign.
Of course Red Hat will jump onto this bandwagon, they have to. Red Hat is a commercial entity and in the future for many (most?) customers Secure Boot will be a requirement in their corporate environment (and their is nothing bad in that). So they have to adapt and using the same key as Microsoft is the most logical option, since any board out there that comes with the Secure Boot feature will have the Microsoft key in their ROMs. So with this move Red Hat gets maximum compatibility where Secure Boot has to be enabled.

I wonder why people expected it to be different.

This is a big deal because soon people will not be able to install Linux on hardware that they buy unless they screw with the firmware, something many users are not comfortable with. They also have the option of buying a $90 key.

This is also a big deal because Microsoft has the ability to disable any key, meaning that Microsoft now can disable your Linux system if you were one that paid for a key.

Screw online petitions, I say we sit in at the Microsoft headquarters.

As I understand it, they have not bought a Microsoft key, they have bought Microsoft's key. If Microsoft disables the key they will disable any Windows 8 installation.
Even if that is not the case, just go into your firmware and disable Secure Boot. You have bought a mainboard with that feature, haven't you?

Please bear in mind that one of the principles of setting up a secure installation is: "do not completely trust the sysop!" At three o'clock in the morning at the server farm, when there are no security cameras watching, it could indeed be a very easy thing to boot an otherwise-secure computer using a Linux DVD-ROM and to thereby bypass security controls, say for the purposes of industrial espionage. Given this unfortunate reality, it may well be that you profoundly want a meaningful defense against that possibility. Indeed, your relationship with (say...) credit-card providers ("PCI") probably demands it.

Red Hat, of course, is a particularly corporate-focused player. They do have thousands of installations out there, many of them right alongside Windows installs within the same secure farm, owned by the same company and working together in the same security-mandatory scenarios. So, to my view, it makes absolutely 100% sense to me that they would do this, and that they would do this in this way. It's not surprising that license fees and/or royalties might be involved; certainly costs are involved. No "1984" talk here ... I think that I rather instantly understand what they did and why they did it, and also why they might do it when other Linux distro vendors might not make an identical choice. I really don't think that to say, "to get by..." is the right way to describe it; not at all.

I am a paranoid person in general, I would not put it past M$ and/or the government to disable the key and make nearly every computer in the country un-bootable. Sure they say that the hardware will have an option to disable secureboot, this is what they say now, just wait 5 years down the road when to be PCI compliant, the hardware can't have an option to turn off secureboot. Then the vendors will quit giving the option of disabling secureboot.

Something similar was said about TPM some years ago, but actually nothing happened. Let's see how it goes.
Here an update from Red Hat to clarify some things: http://www.redhat.com/about/news/arc...fi-secure-boot

If I were a malware writer, I would write code that would install a root kit in Microsoft Windows computers, then leak out the information to people that all they have to do to get their compute working again is to turn off the UEFI. The computer users would then turn it off, and start up their computers. They would have their anti-virus software remove the root kit, and their computers would be clean of the malware, and ready for another root kit to be installed, without them even knowing that a second root kit had been installed, because they would not bother to turn the UEFI back on again, since why bother since they regularly get viruses even with the UEFI turned on.


Wayne Sallee
Wayne@WayneSallee.com