It's an attempt to dissuade people from blindly recommending Chromebooks as an alternative to Microsoft's imposed Secure Boot setup.
I think that is counter-productive, Matthew.
Just like I have a coreboot bias, you likely have an ever so slight UEFI Secure Boot bias, having worked with it for so long. You understand how Secure Boot works while most of our community - that is, the community of people desiring general purpose computers - may not.
You understand what Secure Boot could do for us, and you have spent an enormous amount of time trying to solve the problem of how Linux can fit into that structure. Your effort is phenomenal!
As you may know, I have been participating in the coreboot project since some 12 years. My experience there and in the security field tells me that it is absolutely critical for our community NOT to depend on any single boot verification structure, and certainly not one which is being deployed to let Microsoft decide what a computer says is secure and insecure.
Microsoft clearly isn't acting in our best interest.
Google is also acting in their own interest, but at the moment I feel that our community's interest in having control over our machine's firmware aligns well with Google's interest.
That's the reason to act fast against UEFI Secure Boot.
Unfortunately for you, your job is to act fast toward UEFI Secure Boot, to make it "just work" for Red Hat and friends. I have the utmost sympathy for you, in having to deal with that problem every day. It doesn't take reading your musings on how broken everything is, to realize that it is not too joyous work.
Google has developed their own x86 firmware based on well-known components such as coreboot and U-boot, and not only do they provide their customers freedom to root their hardware, they have also chosen to (use components such that they must) publish their entire firmware source code.
Google is clearly being vastly more progressive than the UEFI Forum and Microsoft.
But them doing something that is much better isn't why the Chromebook really does deserve to be recommended as an alternative to Microsoft's Secure Boot.
The Chromebook deserves to be recommended because it is doing something different.
The ideal solution for our community hasn't been productized yet - maybe not even developed yet. As you know, the majority of our community doesn't have experience with security with or without involving hardware, and even fewer have x86 firmware experience. I believe (I'm just naïve like that) this may change thanks to your work, coreboot's work, and Google's work. I think it must change.
the timing's largely down to the availability of alternative firmware implementations for x86. Embedded devices have implemented equivalent technology for years.
coreboot has facilitated implementation of equivalent technology for years, 15 years to be precise. For some reason, the UEFI Forum and Microsoft have chosen a different route. The UEFI Forum's and Microsoft's route is not helping our community, while Google's route is.
That's why it makes sense to recommend a Chromebook, to anyone who is concerned about their machine's firmware, and the future of general purpose computing.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Everything that glitters isn't Secure Boot
Date: 2013-02-05 08:34 pm (UTC)I think that is counter-productive, Matthew.
Just like I have a coreboot bias, you likely have an ever so slight UEFI Secure Boot bias, having worked with it for so long. You understand how Secure Boot works while most of our community - that is, the community of people desiring general purpose computers - may not.
You understand what Secure Boot could do for us, and you have spent an enormous amount of time trying to solve the problem of how Linux can fit into that structure. Your effort is phenomenal!
As you may know, I have been participating in the coreboot project since some 12 years. My experience there and in the security field tells me that it is absolutely critical for our community NOT to depend on any single boot verification structure, and certainly not one which is being deployed to let Microsoft decide what a computer says is secure and insecure.
Microsoft clearly isn't acting in our best interest.
Google is also acting in their own interest, but at the moment I feel that our community's interest in having control over our machine's firmware aligns well with Google's interest.
That's the reason to act fast against UEFI Secure Boot.
Unfortunately for you, your job is to act fast toward UEFI Secure Boot, to make it "just work" for Red Hat and friends. I have the utmost sympathy for you, in having to deal with that problem every day. It doesn't take reading your musings on how broken everything is, to realize that it is not too joyous work.
Google has developed their own x86 firmware based on well-known components such as coreboot and U-boot, and not only do they provide their customers freedom to root their hardware, they have also chosen to (use components such that they must) publish their entire firmware source code.
Google is clearly being vastly more progressive than the UEFI Forum and Microsoft.
But them doing something that is much better isn't why the Chromebook really does deserve to be recommended as an alternative to Microsoft's Secure Boot.
The Chromebook deserves to be recommended because it is doing something different.
The ideal solution for our community hasn't been productized yet - maybe not even developed yet. As you know, the majority of our community doesn't have experience with security with or without involving hardware, and even fewer have x86 firmware experience. I believe (I'm just naïve like that) this may change thanks to your work, coreboot's work, and Google's work. I think it must change.
the timing's largely down to the availability of alternative firmware implementations for x86. Embedded devices have implemented equivalent technology for years.
coreboot has facilitated implementation of equivalent technology for years, 15 years to be precise. For some reason, the UEFI Forum and Microsoft have chosen a different route. The UEFI Forum's and Microsoft's route is not helping our community, while Google's route is.
That's why it makes sense to recommend a Chromebook, to anyone who is concerned about their machine's firmware, and the future of general purpose computing.