![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
"Why not just use Coreboot?"
Why not just avoid the entire Secure Boot problem by using Coreboot? Because the reason we have the Secure Boot problem is because Microsoft's Windows 8 certification requirements mean vendors have to ship a UEFI implementation with Secure Boot. You could satisfy that by using Coreboot with a Tiano payload, but it'll still have Secure Boot enabled so you still have the same set of problems. But maybe you could just reflash your system with Coreboot? No, because another part of the requirements states that all firmware updates have to be cryptographically signed now. The only way to reflash will be to attach a flash programmer directly to your motherboard.
So why not just use Coreboot? Because it doesn't help solve this problem in any way.
So why not just use Coreboot? Because it doesn't help solve this problem in any way.
Re: firmware/hardware-level password protection as an alternative
(Anonymous) 2012-06-07 02:29 pm (UTC)(link)I really do not see a problem with this. If at the end of the day you can flash the bios directly, then there is no point to thinking of it in a physical security sense. If someone has access to the system it is insecure. Therefore, you could also just write the firmware password on the motherboard or on a sticker on the PC, and then have the user change it at their will.
I believe that we should be completely discounting Linux on SecureBoot, this is 2012, we should not be thinking of it as a "hack your system and install linux" or a follow the rules set out by verisign (who are as bad as Microsoft btw) and Microsoft. This is like buying an iPhone with the intention to run Android.... You intend to use Linux from the offset, so getting manufacturers to realize we won't buy anything we don't own if the best policy.
If you are thinking in the mentality of a user being able to download Linux take it to their local library and boot into Linux instead of Windows - this is never going to happen. Or if you are thinking there are users who are incapable of disabling SecureBoot who will be capable to know how to boot it on their system, they do not exist. These users will most likely be using iPads or in the future windows on arm. Companies using Linux will be able to create their own sets of keys/disable secure boot.
You need to forget about this and start concentrating on people buying free software/open computers with Linux pre-installed.
I for one will be moving away from using Fedora if it starts to support this structure of hierarchical forced trust. This would include even a Fedora or free software signing key.