[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: future of dual booting Windows and Fedora, redux
From:       "Luca Boccassi" <bluca () debian ! org>
Date:       2022-07-29 14:47:18
Message-ID: 20220729144718.6487.23796 () mailman01 ! iad2 ! fedoraproject ! org
[Download RAW message or body]

> * Vitaly Zaitsev via devel:
> 
> 
> But they also say this:
> 
> > The default state of Secure Boot has a wide circle of trust which can
> > result in customers trusting boot components they may not need. Since
> > the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for
> > all Linux distributions, trusting the Microsoft 3rd Party UEFI CA
> > signature in the UEFI database increase[]s the attack surface of
> > systems. A customer who intended to only trust and boot a single Linux
> > distribution will trust all distributions–much more than their desired
> > configuration.
> 
> And this is an accurate description of the situation. 
> 
> Unfortunately, Fedora promoted this broken model with pervasive
> cross-distribution/cross-OS trust as well.  People are generally quick
> to criticize those who control a PKI, but very few organizations are
> willing to step up to hold the key material for the key of last resort
> because of the risk inherent to that.  Consequently, pretty much all
> distributions hide behind the Microsoft key, instead of running their
> own PKI and working with OEMs to get it accepted by the firmware.

I mean there are hundreds of distributions, and hundreds if not thousands of OEM. How \
could that even work? _maybe_ major OEMs would pick up the phone if it's Redhat, \
Canonical and maybe SUSE who are calling. What about everyone else? \
_______________________________________________ devel mailing list -- \
devel@lists.fedoraproject.org To unsubscribe send an email to \
devel-leave@lists.fedoraproject.org Fedora Code of Conduct: \
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: \
https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: \
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not \
reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


[prev in list] [next in list] [prev in thread] [next in thread]