-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe I've missed something here.  If a generic "MS signed shim" is
available what value does this add?  Wouldn't such a shim make booting
anything alternative possible?

On 02/28/2013 01:35 PM, Tom H wrote:
> On Wed, Feb 27, 2013 at 6:48 PM, zxq9 <[log in to unmask]> wrote:
>> On 02/28/2013 12:53 AM, Dale Dellutri wrote:
>>> On Wed, Feb 27, 2013 at 6:27 AM, zxq9<[log in to unmask]>  wrote:
>>>> 
>>>> There is a silver lining. The board makers themselves are out
>>>> to sell boards and laptops and tablets and can be reasoned
>>>> with. My company is an extremely small player in the hardware
>>>> field but we've had positive response from vendors when
>>>> inquiring about having our own keys included on boards 
>>>> alongside Microsoft's when doing bulk orders. We haven't had
>>>> to go that route yet so I'm unsure how much of a pain that
>>>> would actually be to manage (doesn't appear much more
>>>> difficult than managing repository keys though, for example),
>>>> but this leaves the door open for even tiny computing 
>>>> companies and larger IT departments to arrange for their own
>>>> "secure" boot keys to be pre-installed by the board
>>>> manufacturers and not violate Microsoft's requirements, even
>>>> on ARM. That said, since we don't do showroom marketing
>>>> anyway neither we nor our suppliers have a need to put
>>>> little "Windows8 Ready" stickers on anything they ship to us
>>>> anyway.
>>> 
>>> Doesn't this lower the eventual resale value of the laptop?
>>> Doesn't it restrict the laptop to run only what either MS wants
>>> or what you installed?
>>> 
>>> I buy refurbished laptops and install Fedora, but I might want
>>> to try *BSD or Ubuntu or something else in the future.  Doesn't
>>> the "silver lining" restrict that with these UEFI laptops?
>> 
>> It does indeed lower the overall value to the buyer -- which is
>> why we're not satisfied with the concept of "secure boot", even
>> if a board maker puts our keys on the device: we want to sell
>> hardware, and providing a device the user can do whatever he
>> wants to independent of us is a more competitive selling position
>> than selling, essentially, a "locked" device.
>> 
>> This is not a good move for the industry for this exact reason.
>> Of course, laptop makers think this means they will be able to
>> sell one device per instance/OS a user wants -- but especially in
>> the consumer space this is wishful thinking.
>> 
>> If standard UEFI situation ever moves from "user disable-able" to
>> "always on by default" then every device sold will essentially be
>> a locked device that requires jailbreaking to work properly.
>> Offering unlocked devices is far more competitive -- but the
>> dialogue of the industry has made a mystical security claim that
>> lay users don't understand and magically transformed 
>> vendor-jailing of devices from a usability impediment into a
>> must-have feature.
> 
> I wouldn't be surprised if SB became "un-disable-able" in the next
> few years. We'd then have to use an MS-signed shim to boot, as is
> now the case with the default Fedora and Ubuntu SB setups.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJRL7IrAAoJEPQM1KNWz8QadQ8H/jQCPdNYn48NF7d4gMApltt2
q23jgD12vksdM0hzhxbMaJhHJGBTNtatgambocYLNr4IcgjrAFlVvwXHLErpNA6c
qx2vMSG4SDKUCetI6lJ30oC8Z0O0oaWzcXlPd1LTrL8eLOqIgh0h2+QFhI5TaaW5
RFNRCS+rSG+QwindFwuA0yIDGTiwJNOW0Orod+/+tuLl2u8WrJZi1leYnsb0qVRh
esoshMH8cHHxlgLQztM4TvEC5AqhgroxdUYsIi/7JCAX5qFyc5icPvI+cX28mv5J
htJwwDuNI/atCYOL+Htf+1nBgDM/wf6MV0ft2D/xB6ZkCvmGN7/zyTDkDgelXLo=
=Fl7J
-----END PGP SIGNATURE-----