[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: future of dual booting Windows and Fedora, redux
From:       Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= <berrange () redhat ! com>
Date:       2022-07-29 12:05:22
Message-ID: YuPNAtw5mHQ0/+ZY () redhat ! com
[Download RAW message or body]

On Fri, Jul 29, 2022 at 01:52:28PM +0200, Florian Weimer wrote:
> * Daniel P. Berrangé:
> 
> >> Unfortunately, Fedora promoted this broken model with pervasive
> >> cross-distribution/cross-OS trust as well.  People are generally quick
> >> to criticize those who control a PKI, but very few organizations are
> >> willing to step up to hold the key material for the key of last resort
> >> because of the risk inherent to that.  Consequently, pretty much all
> >> distributions hide behind the Microsoft key, instead of running their
> >> own PKI and working with OEMs to get it accepted by the firmware.
> >
> > Would the situation actually be any different in that case ? Assume
> > an alternate reality where hardware OEMs magically agreed to pre-install
> > 20 different keys for the various Linux vendors.
> >
> > You still have the same "problem" that you're running 1 specific vendor's
> > OS, but your firmware trusts the software from countless different
> > unrelated vendors for SecureBoot.
> 
> No, in this model, if you buy a Fedora server, it only boots Fedora
> until manual intervention.  I don't think this is a problem because
> Secure Boot with that very open signing policy is not very far from
> disabled Secure Boot.

Ah, so you mean getting the OEMs to preload the Linux OS distro
of choice, not merely preloading a distro's SecureBoot keys. 


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[prev in list] [next in list] [prev in thread] [next in thread]