Thomas (boggyb) wrote,
Thomas
boggyb

  • Mood:

Apparently people don't want a system where they can guarantee the kernel has not been compromised

I should really stop reading articles about the Windows 8 Secure Boot requirements. I'm only going to get annoyed at all the spectacularly incorrect commentary. Apparently people don't want a system where they can guarantee the kernel has not been compromised by malware.

As best as I can tell, this is what the Windows 8 logo certification actually requires (note: I'm only paying attention to x86-based systems. ARM-based stuff is an entirely different kettle of fish):

  • The firmware must support secure boot.
  • The firmware must contain the Windows 8 certificate (because, duh).
  • If secure boot is enabled, then the firmware must not load any unsigned kernels or drivers (that's the entire point of secure boot).
  • The firmware may contain any number of other certificates.
  • It must be possible to install your own certificates, delete certificates, or even turn off secure boot entirely.

Originally only the first three were actual requirements, but the masses complained that Windows 8 certification did not explicitly require that you would be able to install Linux. So the other requirements were added.

It turns out that a program can only be signed by one certificate, so by far the easiest way to release a signed Linux kernel that will Just Work is to sign it with a certificate that is in turn signed by the Microsoft one as that's going to be present in pretty much any system. And it turns out that one can buy such a certificate (or equivalent - I've not looked in detail at signing your own kernel works) from Verisign for $99. Fedora are going to do this, and I'd imagine that the other major Linux distributions will also do so (because most users want something that Just Works)

So where, exactly, is the problem with all this for x86? I'll agree that the (completely different) requirements for ARM-based systems prevent other operating systems being installed, but when was the last time you saw a desktop computer that ran anything other than x86 or x86_64?

Tags: computing, idiots, rant
Subscribe
  • Post a new comment

    Error

    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 7 comments