On Tue, Jul 10, 2012 at 12:04 AM, Chris Murphy <lists@colo...> wrote:
> On Jul 9, 2012, at 7:23 PM, richardvoigt@gmai... wrote:
>> systems ship with verification disabled, and all the major motherboard
>> manufacturers have indicated that secure boot will always stay an
>> opt-in mechanism.
> This is mystifying because it directly contradicts the Microsoft Windows hardware certification requirements, which require that to get the made for Windows 8 certification, the hardware must be UEFI, must implement Secure Boot, must have it enabled by default (except servers), and must have a Microsoft key included. It also requires a user chooseable option to disable Secure Boot on x86, but not ARM.
Maybe I'm missing something, but when I read this, it doesn't say the
hardware must have Secure Boot enabled by default. Rather, it must be
enabled by the OEM as part of the Windows preinstallation process, so
that it's enabled when it reaches the end user. System builders are
still going to purchase UEFI Secure Boot-capable motherboards with
Secure Boot disabled-by-default, and they will "just work" if you want
to install Linux. End-users who bought pre-installed Windows will
have to change the configuration option in system setup, which for
someone planning to install a new OS from scratch is not a major
hurdle. It will be a minor road bump for people using live-CD style
media (including USB), but won't be a showstopper if the user actually
has permission from the computer owner to boot the alternate media.
What likely is that it will prevent unauthorized (by the owner)
rebooting public computers using alternate media, but that's not
exactly a valid scenario to begin with.
ARM is a red herring, IMO. Pretty much all ARM processors include
some sort of code security module that blocks external access to the
bootloader without the correct reprogramming key. This is pretty
standard for embedded systems, and has been for decades. Most
embedded systems aren't designed to boot from removable media.
Most tablets don't give the end user root privilege. That's a shame,
and something we should work to fix, but going around telling everyone
that the world will end if Microsoft gets Secure Boot onto media
devices is just dishonest. Those devices have been locked down
already, and the world didn't end.