Matthew Garrett

Everythin about this seems to be overly complicated for very little gain. Freedom from users is severely limited whereas protection is not that much improved.

In order for all of this to be useful, you need to be able to blacklist some keys. I'm not sure how this would work, is it possible to just update the list or do you have to flash a new EFI? Who can update the list, only Microsoft? Could you blacklist the Microsoft key?

Obviously, once a key is blacklisted, all OSes using that key won't be able to boot. If it's a malware, you just won't be able to boot your OS (obviously a malware would remove the official signed bootloader and put his own one).

So in the end I guess it's a technology that will only be able to protect Microsoft Windows, and I'm not even sure that the threat is that great. Do we have numbers about the quantity of bootloader-level malware out there? The only benefit I see is that Microsoft Windows users will know that their OS is compromised right away (by not booting at all) instead of the OS to be able to make bad things unnoticed.

Will bare motherboards (to build a custom computer) include Microsoft keys as well? If all computers start to use locked-down bootloaders, it will be a pain to install other OSes on all x86 hardware (except Apple hardware I guess, which would be overly weird since Apple is one of the most closed-down OS out there).