[ Apologies, missed this last week... ] to...@tuxteam.de wrote: > >On Mon, Jun 14, 2021 at 09:20:52AM +0300, Andrei POPESCU wrote: >> On Vi, 11 iun 21, 15:07:11, Greg Wooledge wrote: >> > >> > Secure Boot (Microsoft's attempt to stop you from using Linux) relies on >> > UEFI booting, and therefore this was one of the driving forces behind it, >> > but not the *only* driving force. If your machine doesn't use Secure Boot, >> > don't worry about it. It won't affect you. >> >> While I'm not a fan of Microsoft: >> >> https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F > >Quoting from there: > > "Microsoft act as a Certification Authority (CA) for SB, and they will > sign programs on behalf of other trusted organisations so that their > programs will also run." > >Now two questions: > > - do you know any other alternative CA besides Microsoft who is > capable of effectively doing this? In a way that it'd "work" > with most PC vendors?
I've been in a number of discussions about this over the last few years, particularly when talking about adding arm64 Secure Boot and *maybe* finding somebody else to act as CA for that. There's a few important (but probably not well-understood) aspect ofs the CA role here: * the entity providing the CA needs to be stable (changing things is expensive and hard) * they need to be trustworthy - having an existing long-term business relationship with the OEMs is a major feature here * they need to be *large* - if there is a major mistake that might cause a problem on a lot of machines in production, the potential cost liability (and lawsuits) from OEMs is *huge* There are not many companies who would fit here. Intel and AMD are both very interested in enhancing trust and security at this kind of level, but have competing products and ideas, for example. > - is there any internationally legal binding of Microsoft for > them to provide that service in the future, in a fair and non > discriminatory way? That is a question I *can't* answer as I've not seen anything personally. But I would be shocked if agreements like that have not been made with various vendors. Having worked with Microsoft and a number of representatives from the Linux distros, I *can* confirm that Microsoft care about Linux and SB working well. Hell, they're even using SB (shim, etc.) themselves for their own small Linux distro. That's not a *guarantee* of future goodwill, but they're not about to break things here on a whim. -- Steve McIntyre, Cambridge, UK. st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
