Greg KH wrote:
Secure boot is for HW vendors who want to turn PC's into locked-down pieces of HW that are only upgrade-able at the vendors' discretion.
Not at all, I want secure boot for my systems, with a key that I have control over, to ensure that no one else has installed a boot loader on it that I do not know about.
Who has access to the machine first? You or the vendor? Who has the first opportunity to lock it down? It has been openly discussed in the media that with Win8, MS is not requiring computers to be locked down prior to consumer sale in order to qualify for the Win8-ready, but for Win-RT HW, (portable, not PC, that is not true). It was also clear that MS said they were not requiring lock down *this* release. Additionally, it was noted that any vendor could use this to lock down the bios before sale so that you had to go through them for upgrades. Where did you get the idea that this was for your benefit? You will only have the opportunity to make use of this if it hasn't been already intialized by the vendor (as MS already requires on MS-RT-ready HW), and is speculated may require on some future version of PC HW. Those features won't be available to you if they are already locked down by the vendor.
I got a heads-up on this due to a faulty UEFI bios that occasionally complains about my not having a license to upgrade my memory configuration (which my Dell machine doesn't 'currently' need), but in the future, the UEFI Bios will allow the vendor have a lock on what HW you can put into your computer and have it boot as well as what SW.
No, not at all, you have control over this, you can put your own keys in the BIOS just fine.
You are conflating the TPM and the UEFI BIOS -- though they may interact and the latter may rely on the former for key storage. That said, the UEFI bios is about being able to enable or disable each piece of HW in the machine and to assess it's integrity (that it hasn't' been tampered with). This allows guarantees of secure boot to a secure platform, as defined by *vendors* not by users... as it can be used to allow access to online services and licenses only after they verify that you aren't using a compromised machine that could be used to copy their content or obtain un-paid-for-access to something. Sure you can put keys in it *now*... but if it was initialized and password before sale to you, you wouldn't be able to. You might say, well, I wouldn't buy a computer that way... indeed, I might say that -- but if 80-90% of the market goes with mainstream OS's like appleOS or MS, that might require a locked down computer, then the prices for that 10-20% (if they are that many), will sky rocket as the market for those computers will be small -- computer-savvy folk only -- mainstream consumers won't care. You only have control as long as not practical to take it away from you.
thanks,
You're welcome. *sigh* -l -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org