←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source
Show context
greatgib ◴[18 Jul 25 06:46 UTC] No.44601921[source]
It's totally crazy that we have to go through Microsoft to sign things to be able to have our OS run on third parties computers, and that Microsoft manage to win about this so easily as it was never seriously challenged.
replies(7): >>44601962 #>>44602085 #>>44602088 #>>44602288 #>>44602373 #>>44602674 #>>44615523 #
sugarpimpdorsey ◴[18 Jul 25 07:50 UTC] No.44602288[source]
It makes more sense if you view it for what it is: Honest Satya's Certificate Authority.

Microsoft showed they can semi-competently run a PKI. The end.

Now had the Linux folks stepped up to the plate early on, instead of childishly acting like Secure Boot was the computing antichrist, the story might be different. But they didn't. We only have shim because some people at Red Hat had the common sense to play ball.

replies(7): >>44602337 #>>44602402 #>>44602511 #>>44602526 #>>44602770 #>>44603173 #>>44604349 #
flomo ◴[18 Jul 25 08:00 UTC] No.44602337[source]
Maybe this isn't a great take, but RedHat/LKF/etc could obviously run a 'semi-competent' PKI, and probably should be. But doing so would allow PC vendors to cleanly segment machines between Windows and Linux (+$$), so perhaps it made the best sense to lay-low and use MS infrastructure for this.
replies(2): >>44606462 #>>44610918 #
sugarpimpdorsey ◴[18 Jul 25 23:22 UTC] No.44610918[source]
This isn't really true.

MS uses three separate CA's to sign Windows boot loaders, third party bootloaders (including Linux bootloaders) and UEFI Option ROMs.

In theory, no manufacturer has to install all three as trusted. But it makes no business sense to do so - why have two separate hardware SKUs for the sole purpose of lock-in? Once word got out no one would buy from that manufacturer.

replies(1): >>44622134 #
1. flomo ◴[20 Jul 25 05:04 UTC] No.44622134[source]
Sure they would, if it would make them a buck. Lenovo for example already has separate models for pro ThinkPads with 'certified' Linux support versus the consumer line. Dell too. PC vendors already have 9000 SKUs, what's a few more?

Reminds me back in the day some vendors of Win 9x systems put something in the BIOS to prevent one from installing NT/2000. Gotta get the corporate model for that.