"Does the end user have the ability to manage their own keys"
That is the core problem with Secure Boot.
Whoever controls the keystore, controls your hardware. And the only reasonable person to do this is the owner of the hardware, not the producer.
Otherwise you could just get a game console and hope the producer will not revoke your linux access.
One of you last blogs contained: "But they can't prevent their system from running Windows 8."
That is the other half to the keystore access: I not only want to add my own keys, I also want the ability to kick every other keys out, that I do not want to trust.
I like your idea with offering to import keys from a removable media, because this is a nice way to get the key of an installer CD or similar accepted, even without the user needing to read a manual. The system directly offers the choice, without the need to "call the support to get error xyz fixed". But from the security viewpoint this is still a weakness, if the user clicks "OK" without really reading what was asked: Every bootsector virus could now offer its key.
Wouldn't it be better to just include a mandatory key manager into the BIOS? Just "List all installed keys", "Delete selected key" and "Load new key from USB/CD/..." should be sufficient. And it might even be possible to drop into this management menu, if no (correctly) signed boot loader, but a new key file is found on a media.
key managment
That is the core problem with Secure Boot.
Whoever controls the keystore, controls your hardware. And the only reasonable person to do this is the owner of the hardware, not the producer.
Otherwise you could just get a game console and hope the producer will not revoke your linux access.
One of you last blogs contained: "But they can't prevent their system from running Windows 8."
That is the other half to the keystore access: I not only want to add my own keys, I also want the ability to kick every other keys out, that I do not want to trust.
I like your idea with offering to import keys from a removable media, because this is a nice way to get the key of an installer CD or similar accepted, even without the user needing to read a manual. The system directly offers the choice, without the need to "call the support to get error xyz fixed". But from the security viewpoint this is still a weakness, if the user clicks "OK" without really reading what was asked: Every bootsector virus could now offer its key.
Wouldn't it be better to just include a mandatory key manager into the BIOS? Just "List all installed keys", "Delete selected key" and "Load new key from USB/CD/..." should be sufficient. And it might even be possible to drop into this management menu, if no (correctly) signed boot loader, but a new key file is found on a media.