Re: Q: secure boot
- Date: Tue, 6 Nov 2018 09:14:03 +0800
- From: Paul Wise <pabs@xxxxxxxxxx>
- Subject: Re: Q: secure boot
On Tue, Nov 6, 2018 at 6:53 AM Adam Borowski wrote:
> Another question: do we want it? It's beneficial only if you can not only
> add your own keys but also _remove_ built-in ones, and typical "consumer"
> machines don't allow that.
AFAICT the Debian Secure Boot packages are not designed for the
scenario where only Debian keys or per-user keys are trusted by the
firmware, if they were then shim-signed would be named
shim-signed-microsoft and there would be a shim-signed-debian package
In addition, IIRC in such a scenario you still have to trust keys for
the non-CPU firmware (VBIOS?), so you probably won't be able to
actually remove any of the built-in keys.
In addition, the revocation situation is just ridiculous. There is no
way to revoke known-insecure (but still validly signed) software from
every vendor that supports secure boot.
So, really the only reason to support Secure Boot is to avoid users
having to turn Secure Boot off in their BIOS and avoid having to
document how to do that on every firmware implementation that is being
shipped on new hardware. I think it is definitely worth the effort to
do this to avoid turning people away to other distros.