[Nix-dev] [nixos] The necessity of UEFI Secure Boot

Fri May 23 16:36:52 CEST 2014

Personally I had to disable UEFI secure boot by using the "other OS" 
option... something which can cause severe problems for then again 
gaining access to the operating system, if the UEFI software completely 
dumps the KEKs. I was lucky and somehow got back in without having to 
resort to using a recovery USB stick. But I'm assuming this maybe a 
problem for other users and seeing that more and more machines are 
released using UEFI and Secure Boot I feel this needs to be addressed.

Since, however, it's out of my league I can only request that it be 
taken into consideration that shim should take over as the default UEFI 
solution. If not there is another solution called rf boot... rl boot? I 
can't remember. But here are a few articles that explain that it is not 
only possible but also necessary. How we approach such a problem... 
well, like I said: out of my league.

Here is a rather large article about the issue of implementing UEFI 
Secure Boot in Linux.

/"The Growing Role of UEFI Secure Boot in Linux Distributions/"

    http://www.linuxjournal.com/content/growing-role-uefi-secure-boot-linux-distributions
    <cid:part1.05000207.04050200 at gmail.com>

For those of you who maybe conscerned that UEFI secure boot is 
challanging the presence of FOSS operating systems the Linux Foundation 
released a document stating why these fears are not accurate.

/"Making UEFI Secure Boot Work With Open Platforms/"

    https://www.linuxfoundation.org/sites/main/files/lf_uefi_secure_boot_open_platforms.pdf
    <cid:part2.06090308.06040307 at gmail.com>

Conclusion of the article from The Linux Foundation:

    /"The UEFI secure boot facility is designed to be readily usable by
    both proprietary and open operating systems to improve the security
    of the bootstrap process. Some observers have expressed concerns
    that secure boot could be used to exclude open systems from the
    market, but, as we have shown above, there is no need for things to
    be that way. If vendors ship their systems in the setup mode and
    provide a means to add new KEKs to the firmware, those systems will
    fully support open operating systems while maintaining compliance
    with the Windows 8 logo requirements. The establishment of an
    independent certificate authority for the creation of KEKs would
    make interoperation easier, but is not necessary for these platforms
    to support open//systems//./

Thank you for your concern, now back to the Wiki work...

Cheers!
Signed Third3ye
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140523/e365a8a5/attachment-0002.html 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140523/e365a8a5/attachment-0003.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lf_uefi_secure_boot_open_platforms.pdf
Type: application/pdf
Size: 376679 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20140523/e365a8a5/attachment-0001.pdf 