Search Mailing List Archives
[liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption
johns at fsf.org
Fri Sep 20 12:04:14 PDT 2013
Blibbet <blibbet at gmail.com> writes:
>> (We call the bad version of Secure Boot, where the user does not have
>> the ability to modify the set of trusted keys or disable the system,
>> Restricted Boot.)
>> We have discussed the idea of trying to become a root key holder for
>> Secure Boot, working with OEMs to by default trust GNU/Linux distro keys
>> signed by us, but have been told that the cost of complying with the
>> requirements would be in the millions. We're still interested, if anyone
>> has funding.
> Can you please point to the source of this "millions" comment? I see
> UEFI Forum membership as being $2500/yr max for an org, and free for
> an individual. The latter can't influence codebase and has a 3 page
> license, the former can impact codebase and has a 9 page license.
Those are the costs for being just a member of UEFI -- what you were
suggesting originally was being a root key holder, able to sign
developer keys which can then be used to sign operating systems to boot
under Secure Boot equipped firmwares that ship recognizing that root
key. This would be nice, because then people wouldn't be so dependent on
Microsoft's Certificate Authority. But, this comes with the kinds of
costs you might expect from a secure operation to keep certs safe --
insurance, audits, running the process of signing developer keys, etc. I
don't know where all of the costs come from but I can see how they build
> So, has FSF looked at working with an IBV or a PC OEM, about doing a
> proper UEFI-based system with a proper Secure Boot feature that works
> with Linux?
Some -- resources for all of this are an issue. Also depends if by
"proper" you mean that it comes enabled and preloaded with trusted keys,
in which case see above.
>> In the meantime, we would love to receive any reports of x86 systems
>> purchased with Secure Boot that actually have Restricted Boot.
> BTW, here's latest status from Intel UEFI w/r/t Linux, a talk from
> last week's IDF:
> The speaker of that talk will be at a UEFI training event at a local
> hackerspace, answering questions on UEFI. If anyone has some good
> questions to ask him, I'll be happy to relay.
One thing that would make this whole mess better would be if drivers
could effectively be signed by more than one key. That would help lessen
some of the dependency on Microsoft, because drivers could be signed by
smaller party keys without having to drop Microsoft. I think this is
allowed for by policy and signing format but is not being implemented.
John Sullivan | Executive Director, Free Software Foundation
GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS
Do you use free software? Donate to join the FSF and support freedom at
More information about the liberationtech