Linux Foundation approach to Secure Boot

[mjg59]

James Bottomley just published a description of the Linux Foundation's Secure Boot plan, which is pretty much as I outlined in the second point here - it's a bootloader that will boot untrusted images as long as a physically present end-user hits a key on every boot, and if a user switches their machine to setup mode it'll enrol the hash of the bootloader in order to avoid prompting again. In other words, it's less useful than shim. Just use shim instead.

Comments

[(Anonymous)]

Will computers indefinitely let users disable secure boot completely?

I like Freedom and using a Shim is taking some of that away.

[(Anonymous)]

The solution by Linux Foundation allows me to run a VM system, allows me to run any second Linux under the first, and allows me to use the hardware that I have purchased to run what I want. If we really want dual boot, then the bios should have an option at power on time to a) run UEFI security b) run non UEFI mode,
c) Ask me which mode to run

Re: I like Freedom and using a Shim is taking some of that away.

[mjg59]

Shim allows you to do any of those things, without having to hit a key every time you reboot.

[(Anonymous)]

Where can I get shim and how do I install it?

[mjg59]

https://github.com/mjg59/shim/tree/mok is the most relevant tree at the moment. For it to be useful you'll need it to be signed by Microsoft, so you'll also need a WinQual account.

[(Anonymous)]

I think a "continue, but just this once" mechanism makes sense for a different set of applications than shim does. I don't really want to have shim trust the keys signing rescue CDs and installers on an ongoing basis, but having a "just this once" authorization makes sense. Shim could presumably also do it, but I think it's nicer to have that sort of boot image not have an interface that suggests that you would want to trust it to boot unattended.