←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 2 comments | 18 Jul 25 03:53 UTC | HN request time: 0.417s | source
Show context
greatgib ◴[18 Jul 25 06:46 UTC] No.44601921[source]
It's totally crazy that we have to go through Microsoft to sign things to be able to have our OS run on third parties computers, and that Microsoft manage to win about this so easily as it was never seriously challenged.
replies(7): >>44601962 #>>44602085 #>>44602088 #>>44602288 #>>44602373 #>>44602674 #>>44615523 #
sugarpimpdorsey ◴[18 Jul 25 07:50 UTC] No.44602288[source]
It makes more sense if you view it for what it is: Honest Satya's Certificate Authority.

Microsoft showed they can semi-competently run a PKI. The end.

Now had the Linux folks stepped up to the plate early on, instead of childishly acting like Secure Boot was the computing antichrist, the story might be different. But they didn't. We only have shim because some people at Red Hat had the common sense to play ball.

replies(7): >>44602337 #>>44602402 #>>44602511 #>>44602526 #>>44602770 #>>44603173 #>>44604349 #
flomo ◴[18 Jul 25 08:00 UTC] No.44602337[source]
Maybe this isn't a great take, but RedHat/LKF/etc could obviously run a 'semi-competent' PKI, and probably should be. But doing so would allow PC vendors to cleanly segment machines between Windows and Linux (+$$), so perhaps it made the best sense to lay-low and use MS infrastructure for this.
replies(2): >>44606462 #>>44610918 #
1. danudey ◴[18 Jul 25 16:16 UTC] No.44606462[source]
Can easily imagine companies like Dell selling you a system with Ubuntu preinstalled but without Windows signing keys so you can't run Windows on an Ubuntu laptop (or vice-versa) with Secure Boot on an unmodified system.

Not out of malice, necessarily, but at least incompetence.

Likewise, having Microsoft signing the shim also means that any Linux installation with the signed shim can install on any system that supports Windows, whereas if RedHat had their own 100% comptent, rock-star PKI then a huge proportion of systems sold today would not be able to run Linux unmodified because the manufacturers wouldn't bother.

replies(1): >>44675181 #
2. hulitu ◴[24 Jul 25 19:46 UTC] No.44675181[source]
> Likewise, having Microsoft signing the shim also means that any Linux installation with the signed shim can install on any system

No. See certificate expiration.