Thank to all who responded with so much information.
I remember being deeply unhappy with the SecureBoot proposal at the time it was announced, and just as unhappy with the "fix/workaround" that the Linux distros developed in the form of the "shim". Not just because it all relies on the goodness of Microsoft's heart, but because the shim method itself appeared to provide a perfect stage for malicious modifications to the next thing the shim called, while still believing that everything was OK.
It is something of a double-edged sword, because due to Microsoft laying down the law to various OEMs regarding how things had to be, we have less of a mess than it could be - as starshipeleven points out above with regards to methods for booting ARM systems. But the viability of other operating systems on any hardware with SecureBoot is predicated on the benevolence of what could be broadly interpreted as a dictatorship... which has historically shown itself to be anything but benevolent.
Don't even get me started on some of the early ideas for UEFI, which included such wonderful insanity as "OS-free browser", "OS-free media player" and similar nonsense. There are several ideas for which UEFI applications would make sense - eg: a battery level tester for laptops so that if you try to boot it up at a charge where it might not get through boot (less of a problem with SSDs and <10 second boot times) it pops up a "please charge the battery first" message... but a web browser which may or may not get timely security updates? And has the ability to write to any FAT32 filesystem? Like, oh, the EFI partition? Uh...
Ars Technica reported that from Windows 10 the ability to disable SecureBoot would be optional, but I've not yet encountered a system where I couldn't turn it off; admittedly, with the exception of laptops I build other systems myself, so have no idea what desktop ODMs might be doing.
Why on earth grub will happily read a .cfg file from the EFI partition I have no idea; I'm surprised that that hadn't been identified (and abused) in the past. Well, actually, for all I know it has been but those using it have kept quiet...
I remember being deeply unhappy with the SecureBoot proposal at the time it was announced, and just as unhappy with the "fix/workaround" that the Linux distros developed in the form of the "shim". Not just because it all relies on the goodness of Microsoft's heart, but because the shim method itself appeared to provide a perfect stage for malicious modifications to the next thing the shim called, while still believing that everything was OK.
It is something of a double-edged sword, because due to Microsoft laying down the law to various OEMs regarding how things had to be, we have less of a mess than it could be - as starshipeleven points out above with regards to methods for booting ARM systems. But the viability of other operating systems on any hardware with SecureBoot is predicated on the benevolence of what could be broadly interpreted as a dictatorship... which has historically shown itself to be anything but benevolent.
Don't even get me started on some of the early ideas for UEFI, which included such wonderful insanity as "OS-free browser", "OS-free media player" and similar nonsense. There are several ideas for which UEFI applications would make sense - eg: a battery level tester for laptops so that if you try to boot it up at a charge where it might not get through boot (less of a problem with SSDs and <10 second boot times) it pops up a "please charge the battery first" message... but a web browser which may or may not get timely security updates? And has the ability to write to any FAT32 filesystem? Like, oh, the EFI partition? Uh...
Ars Technica reported that from Windows 10 the ability to disable SecureBoot would be optional, but I've not yet encountered a system where I couldn't turn it off; admittedly, with the exception of laptops I build other systems myself, so have no idea what desktop ODMs might be doing.
Why on earth grub will happily read a .cfg file from the EFI partition I have no idea; I'm surprised that that hadn't been identified (and abused) in the past. Well, actually, for all I know it has been but those using it have kept quiet...
Comment