On 10/20/2011 08:10 AM, Tom H wrote:
> On Thu, Oct 20, 2011 at 4:58 AM, Thomas Bendler
> <[log in to unmask]>  wrote:
>>
>> Secure boot is simply a design mistake. Instead of giving everyone the
>> opportunity to upload own certificates to the certificate store (like
>> browsers do), they implemented a hard coded list of certificates so that
>> only a few systems benefit from secure boot (the general idea of secure boot
>> is fine). This is the problem, the root of trust is moved to the vendors
>> instead of the owner. Unfortunately a lot of commercial interests will most
>> likely push it to the market as it is, so the only hope will be to be able
>> to switch it off.
>
> The only intelligent post in this totally OT thread...

I respectfully disagree -- although a number of the intelligent posts 
were not related to the engineering/design issues.  Secure boot as being 
forced by Microsoft is a deliberate design, a mistake for those of us 
who want some vendor independence (market competition with 
licensed-for-free, including full source distribution, variants allowed 
to compete), but a profit enforcer for those whose for-profit products 
are allowed to be installed as the operating environment.

The reason I posted this item -- a reason that no one has yet addressed 
-- was twofold:

1.  To stop the current UEFI approach so that licensed-for-fee 
environments, such as Linux or BSD, can be installed on any hardware 
platform.  This does involve getting the community to be aware of the 
problem.  It does not appear at this time that there is any USA or EU 
movement equivalent to the Australian approach of lawsuit to stop secure 
boot -- but we may still be able to do something -- suggestions welcome. 
  These include demanding a way for entities such as CentOS or SL 
(Fermilab/CERN) to provide acceptable certificates, albeit this would 
still restrict "small" developers that would not want to pay to a 
Certificate Authority.

2.  To find/develop a workaround -- "the only hope will be to be able
to switch it off" will not work without possibly a way to reprogram the 
UEFI replacement for the BIOS.  I can provide several business/market 
sector/security scenarios indicating why the hope of some motherboards 
to be UEFI "open" will not address the issues.  Is anyone starting to 
look at workarounds?

I apologize for the firestorm -- but if UEFI as proposed is implemented, 
it is likely that Linux on the desktop/laptop in the USA effectively 
will cease -- only MS Windows and Mac OS X will continue, provided Apple 
does not run into trouble (always an issue for a single for-profit 
corporation that is not regarded as too big or vital to fail).

Yasha Karant