|Someone wrote in mjg59,|
Assuming the BIOS permits the option - as mentioned elsewhere, remove the feature, and that's one less thing you have to debug on your budget PC, one less thing you have to provide support for - there will be a whole new class of boot failures when Windows 8 users flip the option for whatever reason.
Even those of us who are tech-savvy are going to get *really* annoyed flipping the state every time they switch OS. I do as much work as possible in Linux but alas, my employer requires that I boot Windows fairly regularly, just to get a DHCP lease for my hardware. I also like to play games, and faffing about with Wine is not what I would call conducive to leisure. New games will probably start requiring secure boot anyway so you can't cheat.
The shame of it is, the feature has a legitimate use, and is probably a good thing for Windows users, who let's face it, need more security.
The only acceptable implementation would be one which permitted you to add keys to the keystore at boot time, in the BIOS setup, via entry of a checksum-verified key block. Then you don't need to buy a "blessed" proprietary OS just to add keys. Alas, this would be an even more serious deterrent to any casual use of Linux on a given piece of hardware.
So all in all, I wouldn't prohibit this feature - that would seem to be against the Free Software ethos, after all. And it's going to be good for Windows users. But I would mandate that any implementation also provides...
- Ability to add signing keys to the keystore via BIOS setup
- Although it's obviously better to get an OSS friendly key in there from the get-go, so the common distros can get their bootloaders signed.
- The ability to disable secure boot with one key at boot time
- Perhaps with the ability to choose to boot a given volume in non-secure mode, from the usual BIOS boot