Yesterday Matthew Garret posted Implementing Secure Boot in Fedora, which was subsequently covered by Cory Doctorow in Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users’ computers. I find myself somewhat torn by the whole affair. I understand how the choice by Fedora to cough up $99 to have their shim bootloader signed by Microsoft can be seen as a sellout. But at the same time, if your goal is to ensure your distro is bootable without forcing the user to screw around with their firmware settings, I think Fedora has probably made the least-worst choice, and I think other distros should also consider evaluating this approach.
Immediately, speaking purely practically, a single $99 payment by a distro to cover a (presumably) infrequently updated shim bootloader, and thus have Linux work with UEFI secure boot, is not terribly onerous. Even if many distros did this, I’m not seeing it amounting to much of a revenue stream for Microsoft. And it meets the stated goal (make Linux run on new hardware with minimum user effort or even awareness). So that’s fine as far as it goes.
I’m far less happy about it from a political perspective, where this amounts to supporting another instance of what I’d call The Certificate Cartel, a term I used to apply to SSL CAs.
So, like I said, I find myself somewhat torn by the whole affair.
Frankly I’m astonished that it’s that simple, and grateful to Microsoft that they would do this for such a reasonable price. It’s not a bad idea to protect the bootloaders (but it’s hardly sufficient in itself!). Will they also sign bootloaders for ARM systems, I wonder? If so, I will apologise for my previous scathing commentary on that topic.
Re: certificate cartel, we would need an alternative de-centralised signing system to avoid this. Web of trust, anyone?
Even better, from your linked article: edit: The $99 goes to Verisign, not Microsoft – further edit: once paid you can sign as many binaries as you want. That is very reasonable. I suppose they can sign generic bootloaders such as grub also, able to boot whatever operating system? So, what is the problem here?
Sorry for all the comments, maybe you can amalgamate them or get rid of some? he says “So kernels need to be signed”. It’s lucky we have kexec 🙂
Nah, it’s fine, thanks for the comments 🙂
A one-off fee to be able to sign as many binaries as you want makes this mostly a logistical question for distro releases IMO (sign shim bootloader once vs. sign many new builds of grub or whatever).
I’d be interested to see a WoT of some description happen (CAcert?), although that probably ends up being something that wouldn’t ever be used by random/new users who don’t want to (or don’t know how to) install extra keys into their BIOS.