@luke: Your solution would render any locked-down Windows desktop running Linux into a Hacking-Tux.

How many people run a Hackintosh nowadays ? Virtually no one.
So free software would be practically dead, while now there are (10's/100's of) millions of users.


What I propose comes down to the right to boot free software.
By having a 'free software' cert as part of Secure Boot.
Which results in verified boot of signed free software.

Even on locked-down desktop boards you still would be able to boot (signed) free software.
Dual boot would still be possible.

Everyone would be (more or less) happy, just not Microsoft.

People tend to focus on "do we want Secure Boot or not".
Which is not a question anymore, it's there allready, and we probably can't stop it.

The real question as I see it:

Can people be denied the right to run free software ?

Which is a moral/political question, not a technical one.

With (possibly, I'm not a UEFI/SB specialist) a simple technical solution.

I never rely on an uncertain political victory

So we hope, but even as much as I am involved in politics I never, ever bet my safety or security on decisions made by the very people I am protesting. Always I prepare for the possiblity of defeat in any battle I fight, and have a fallback position ready. The fallback positions available if we are defeated by M$ on stopping fully locked MS machines are to stockpile, to use exploits to defeat the bootlockers, or if we are rich (I am not) to have chips custom fabbed. You will never see a $1,700 Lenovo machine sold with Linux in my hands simply because I have never posessed any kind of electronic item that expensive and do not have that kind of money. Thus if we lose this fight and even the aftermarket boards end up locked to windows I get the choice between using exploits to boot Linus or switching back to improvised analog equipment and film cameras. Under no circumstances will I allow my files and data to be stored on anything that answers to Microsoft, Google, or Hollywood.

All you gamers out there that play war games should understand this: in any way, you always assume that the enemy will choose the most damaging course of action available to him, and always prepare to deal with the worst. So it is on this issue for me. Let the computer industry understand that a lot of people won't pay a penny for their locked-in paperweights, just like Micro$oft got stuck with all those unsold Windows Surface RT tablets.

This move is a wrong one considering the political consequences it may have regarding other non-US parties which want a share of current IT markets. Even if certain linux distributions (ubuntu, fedora, suse etc.) are included into UEFI club, it implies a US and western only operating system scene in which all other ventures by third parties will be considered alien and untrusted. This will speed-up initiatives by other polar centers like china and russia to create their own IT industry bases. This move has a bunker mentality built into it and carries a great risk of slow isolation for the perpetuators involved including microsoft and intel.

Don't forget that a lot of hardware (as in motherboards, videocards etc.) is manufactured in China, Korea and Taiwan.

Correct me if I'm wrong, but the UEFI PK (platform key) is theirs, so they sign Microsoft's key.

Neither CPUs nor any microchip by US corporations are produced in China. They only assemble PCBs and only because its cheaper there. This gives them 0% leverage against USA. Korea and Taiwan on the other hand can't object to their big brother USA on this matter, they don't own any IP to the chips they produce nor to the fabrication processes. They don't produce any CPUs either, TSMC fabs nVidia GPUs thats all.

PS. What I'm talking about is already happening right now as we speak: http://www.reuters.com/article/2014/...A4J07Q20140520

Can you elaborate more on this coz I don't understand this UEFI Sickure Shit™. Who owns the platform key and what does it mean that they sign MS key?

Take a look at this document:

Thanks this clarifies much about the UEFI secure shit. The fact that in order for a platform to boot they must have a key exchange key assigned to them (KEK) and it must be:

"At some future time, an operating-system- and vendor-neutral certificate authority should be
established to issue KEKs for third-party hardware and software vendors."

I won't be surprised if this authority be based in western hemisphere of our planet which is my point afterall. And probably it will have a structure akin to IANA (Internet Assigned Numbers Authority) which oversees domain name - IP registrations worldwide and is heavily criticized by governments like Brazil, Russia, China, India etc for not having a global governance (if it ever really materializes that is and there's no guarantee for that too).

Fragmentation of the IT industry will be a much bigger problem than we can imagine. It will create a cold war style paranoid environment which is not only TV and radio signal wars now but at a much greater scale encompassing every byte and bit in the information scene. The openness and flexibility of the PC and server platforms must be preserved, otherwise we will have madness.

Please be aware that the linked document only refelects the opinion of the Linux Foundation.
As you can see on this list (http://www.uefi.org/members), they are only one of many.

today and still;
(U)EFI, a non-standard binary blob for the manufacturers to keep skrewing up, uniquely for themselves.
Microsoft Secure Boot, still a Restrictive Boot just as Stallman described.
...aka, nothing has changed.

scjet
It has actually gotten worse this year. In the wake of the Boothole vulnerability, Microsoft has stopped signing new bootloaders.

The reason is that the large number of revocations have already filled the UEFI specified storage for revoked hashes to 50%. Until a solution is found, no new bootloaders will be signed. More discussion: https://github.com/rhboot/shim/blob/sbat/SBAT.md