Slashdot Mirror
Red Hat Clarifies Doubts Over UEFI Secure Boot Solution
sfcrazy writes "Red Hat's Tim Burke has clarified Fedora/Red Hat's solution to Microsoft's secure boot implementation. He said, 'Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.'"
Color me unimpressed, and certainly concerned: "A healthy dynamic of the Linux open source development model is the ability to roll-your-own. For example, users take Fedora and rebuild custom variants to meet personal interest or experiment in new innovations. Such creative individuals can also participate by simply enrolling in the $99 one time fee to license UEFI. For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost." From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right.
If anyone can pay $99 to get a key that lets them install malware in anyone's firmware, then there is obviously no security in the system. I'd have thought this would be excellent grounds for an antitrust investigation...
I am TheRaven on Soylent News
self-register their own trusted keys on their own systems at no cost.
How? Most reasonable mechanisms that could be envisioned would likely be considered an 'attack vector' in certain scenarios. I'm genuinely curious as to the mechanisms allowed for end-user key management in this sort of system.
XML is like violence. If it doesn't solve the problem, use more.
This can't be any worse...
Red Hat has faith in Microsoft. More fool them!
Take Nobody's Word For It.
rips Microsoft a "new one" in a class action and/or anti-trust suit
and Fedora/Redhat are feeble minded idiots for paying Microsoft,
Politics is Treachery, Religion is Brainwashing
for the other side of the house....
They advocated for a dual-boot system which would allow Windows for Pen Computing to co-exist along w/ Go Corporation's PenPoint OS --- then pulled the plug after the first systems were announced.
Jerry Kaplan's _StartUp_ should be required reading for anyone considering doing business w/ Microsoft.
It's ludicrous that one could purchase a system and then not be allowed to install arbitrary software on it --- why can't there be a mechanism for instantiating a particular key on a system which one has physical access to?
William
Sphinx of black quartz, judge my vow.
It will be released but not all the hardware vendors will sign on. Loads of tech people, like the ones here, will not buy it. It will flounder for a few years then eventually die off and go the way of microchannel.
Ill toss this one up there with Divix-DVD's and there pay per view, Sony memory standards, Micro-channel, and many other crappy ideas.
Doesn't this violate the "anti-Tivo" clause of GPL v3? Sure, the kernel is still on v2, but the system can't run without all the v3 stuff.
This will not stand, man.
Red Hat needs to research and make sure they are compatible with new and changing tech and UEFI is clearly one they need to make sure RH software works with. There are valid application for signed systems like this (think stuff like ATM) so making sure Linux works and even signed and validated to boot isn't a bad idea. But as we already suspect the general desktop environment isn't a good place UEFI should be used which is what people are afraid is going to happen.
I haven't delved deep into the details of UEFI but as long as the restrictions are only to boot valid signatures then RH and any other Linux should be fine and might even be desirable in some deployments. In fact a strong argument could be made that getting Linux and BSD onto these platform helps "keep them honest". Red Hat should be allowed to do this and we should continue to inspect RH's source which is a good goal brought about by Open Source. If it turns out that Red Hat does this and is not allowed to be entirely open about it then that would be the red flag but not before then.
For users performing local customization, they will have the ability to self-register their own trusted keys on their own systems at no cost.
If this is possible, can't any random distribution just ask the user to self-register their own keys for their hardware at installation time? I guess it depends on when the self-registration occurs and how it's done, which is not clear to me.
This post was generated by a Cadre of Uber Monkeys for Monkey-Man2000 (603495).
I won't buy any PC or motherboard with UEFI unless it can be disabled - and I will actively search for machines that refuse to implement UEFI at all. Frankly, this is a quisling move by RedHat. Microsoft bullied the PC manufacturers into this anti-freedom technology. Now RedHat is directly supporting Microsoft by paying into their protection racket. Before you know it, every computer will require a 'legitimate' - government/oligopoly authorized operating system. Just say 'No' to RedHat because they are giving money to a system that is sliding down that slippery slope toward removing your freedom to use your devices as you wish.
I'm not going to invoke Godwin, but *lots* of things start out as being "good-faith initiatives". I know UEFI has tons of advantages over a standard BIOS, and I'm a flat-earther for wanting to stick with the old tried and true methods, but anything that takes away control over hardware I own, especially anything that takes control and gives it to a multinational corporation, I'm passing right over.
And I assume plenty of other tech-minded people will do the same, and the system will fade off into the sunset.
As the author of the linked article, things have somewhat changed since then - the language in the hwcert docs makes it clear that the hardware can be configured into a state where keys can be added. Is it a guarantee? No, but it's as close as is possible to get in the technology world.
A lot of web severs run Linux.
I wonder if there is an analogy to DVDs and CDs... If you want to use the Genuine DVD logo on your shiny disk you have to follow eighty bazillion rules, at least some of which suck, and at least some of which are great ideas but people who suck don't want to do the right thing.
The logo people thought no one would ever buy round shiny disks without their holy logo of obligation inscribed upon it. Why the nerve of those barbarians to even suggest such a gauche idea as selling a shiny disk without our word of power.
Solution, ship your shiny round disk the way you want, without the Genuine Official Copyrighted Trademarked DVD logo. The consumers don't care, they just pop a round shiny disk in the player and it works, at least most of the time.
I'm trying to figure out if something like this could happen with UEFI, somehow.
Another option is the death of the preinstalled microsoft OS. If the legal barrier is just too high, start shipping free systems. Preinstalls suck and are absolutely sickeningly riddled with bloatware anyway, so first step is always to wipe the preinstall. The proverbial grandma won't be able to handle installing windows, I guess she will stick with the Ubuntu preinstall and probably not even notice the difference.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
..that almost every PC comes with Windows pre-installed in conjuction with Microsoft abusing this monopoly despite all the anti-trust affairs.
I know the M$ fanboys will point at Apple and their iOS devices, but the big difference is that Apple does not force other smartphone manufacturers to put iOS on their hardware, whereas PC manufacturers have to pay for not putting Windows on their PCs.
Given those circumstances, the fact that I'd have to pay $99 in order to install my own private Linux distro on my own private PC is just crazy.
Even if this is indeed a "good faith" initiative, what difference does *that* make? The tools for locking down and controlling all computing are being put in place, one small step at a time. When that "good faith" goes away in the future, the tools will not know the difference; they can be used in good faith or bad faith alike.
It's much like giving a genuinely good leader draconian legal powers. (S)HE may used them wisely to do actual social good, but in a hundred years when you have a despot at the helm, he'll have the same draconian things available.
Fucking STUPID. Since when in their entire history has Microsoft ever done anything in "good faith"?? Morons! *ALL * you need to do is read a few court cases...
C|N>K
"your owns keys is certainly not a guaranteed"
If I can't use a custom kernel and I can't load custom drivers, than there's no way anyone could convince me this UEFI/SB and the related signing misery is the way to go. I couldn't care less that some distros can sign their kernels and drivers and you can use those, because that essentially would imply a lock-in to a specific company's version - thanks but no thanks. Of course I can imagine how some companies would like it that way.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Don't buy a PC with UEFI and don't even try to keep one running when it craps out.
"From what I can tell, the worst fears of the trusted computing initiative are coming true despite any justifications from Red Hat here. Note that the ability to install your owns keys is certainly not a guaranteed right."
Okay chicken little the sky is falling.
Really? You can turn off the security settings in UEFI. Will you in the future? No but that is a slippery slope argument. The simple fact is that UEFI offers a layer of security that many users may welcome. As long as the end user can turn it off I am fine with it.
Now on the Windows ARM platform it can not be turned off which is just evil and should be looked into as a violation of anti-trust. Of course if you really hate the idea that is fine also. What is stupid is complaining that Red Hat paid the $99 fee. That like saying that a kid should stand up to a gang of bullies instead of giving them his lunch money even if they will beat him to a pulp.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I'm assuming no one has yet noticed that the $99 fee is not going to last forever. From Microsoft's sysdev portal:
Moreover as others have mentioned here, it's not guaranteed that any hardware manufacturers will include the capability to register one's own keys. I certainly haven't heard of any yet.
// -- http://www.BRAD-X.com/ --
C'mon, it is very easy to solve the problem. Uses them same Microsoft CA that Flame worm is using.
SecureBoot is more a "reduce users power to change OS" than "protect from malwares", as Flame proved.
UEFI is an OEM Software Vendor's bald-faced grab at monopoly power. Microsoft would be the key generator. Redhat would pay Microsoft a one-time fee per user machine, which RH figures likely to be a one-time $99 fee. This charge would be per machine, not per user, as it is likely that no 2 computers on the same network can have the same key. How many linux users not running servers would be willing to pay their OEM Linux Software Vendor an extra $100 over the current cost of that software per machine? What impact would this have on the number of desktop linux users? How many would forego any switch from the Microsoft OS pre-installed for an extra additional $100, per machine?
IIRC, when Microsoft first began trying to compete with Server Software against the the Big Iron Server Vendors, flexibility in number of connected clients, and owning the HW and the SW license was considerably cheaper than an annual HW & SW service agreement. Digital Equipment, Silicon Graphics, and Sun Microsystems are gone, Microsoft has so much influence over HW manufacturers that an effort was made to rein in competition. Control of the UEFI Boot AUTH Key by a self-avowed SW monopoly would appear to, in one fell swoop, destroy a segment of the Desktop OS competition AND create a robust new revenue stream at the same time. The crony corporatists are greedy vampires, as one named John D. was quoted as saying "Competition is a sin."
So, which recently topping $1 Billion in revenues OEM SW Vendor just climb into bed, figuratively speaking, with Microsoft? Red Hat? Gee whiz, I wonder how many of Red Hat's plethora of desktop linux competition, or for that matter, any *nix-like OS Vendor would care for their product to be automatically boosted in price by $100 (minimum) to establish an UEFI Boot AUTH Key "Associate" account with Microsoft? When is More Evil just too much?
Free market capitalism, by definition, should be operating on a level playing field of regulation and enforcement. The greater and greater concentration of economic power and influence in the hands of fewer and fewer corporations is hardly an indication of a vibrant free market. But that is a symptom of corporatism, and when government is in alliance with those crony corporate interests instead of the general well-being of all taxpayers, it is called corporate socialism also sometimes known as national socialism or fascism.
Even if this comes to pass for companies like Dell and HP, I doubt the "enthusiast" system builders like Asus and Gigabyte will be locking down their motherboards. After all these are machines frequently built and tweaked from the ground up, and enthusiasts won't buy them if they're locked down and they have to install a specific OS version.
There's really nothing else to add here
the big concern is that Microsoft has a history of not playing well with others, but that was with Bill Gates running the show
Steve Ballmer (who dropped out of Stanford's business school to join Microsoft - i.e. he is a "businessman" in the good sense) is probably a little less cut-throat (or inclined to "compliance with raised middle finger") than Bill Gates - which is obviously just my opinion - and I'd gladly work for either Microsoft or Red Hat (I've used both company's software for years, but I'm not religious about either)
anyway, I'm still not convinced that "UEFI" is the next big thing, I'm willing to listen/try it - but taking a "trust but verify" attitude toward the whole thing
It ain't what they call you. It's what you answer to. http://mylyceum.us/
Oh really? Read this and tell me again how I can turn off secure boot on my ARM device. Because I won't be able to.
Saying that if you just quit your damn bitching and hold still, it won't be as bad as you imagine. Hell, once you've been slammed hard a few times, you'll hardly even notice it's happening.
If you were blocking sigs, you wouldn't have to read this.
Now using my electronics how i want is "certainly not a guaranteed right". WTF. Thats why we had DIY talents before, who was building companies in garage, and now we have army of "angry bird" players, because it is not easy to create something this days.
You can't reuse electronic parts. SMD. You need expensive tools to do that. Well, ok, let's say it is ok.
You can't reuse blocks and highly integrated IC's, because there is NDA for documentation and high fees to get this documentation.
And now, finally, soon you can't write your own low-level software, because your PC manufacturer will decide, what you can run, and what you can't.
I hope my car one day will not tell me, which road i can take, and which one i'm not allowed to go, because my car don't have license for offroad.
I wouldn't be surprised if Microsoft can pull this off.
The real problem starts when 'stolen' keys are going to be abused for malware / used for loaders, etc. Then phase 2 will come into play: "suddenly realizing" that you also need some kind of key revocation system for this to be secure. But in phase 1 you already locked yourself in.
You will be totally at the CA (Microsoft)'s mercy. Replacing Microsoft with some US-government agency will make things even worse.
When the copyright term is "forever minus a day", live every day like it's the last.
Oh, sure, you can disable the UEFI Secure Boot crap. But when I read the initial article a few days ago, the point I got was that Fedora's goal was to not require users to have to go to the trouble of manually disabling it. Win8 is going to require SB enabled in order to get the W8 sticker (I was unclear if W8 itself required SB, but if it did, it wouldn't work as an upgrade). So in order to install Linux, everyone must manually disable SB first unless the distro gets signed. And they can't just stop with signing the first stage boot loader, they pretty much have to have the kernel signed and have it check for signed drivers, otherwise there would be a hole that some eeeeeeevil malware could get through, which would be grounds for revoking the key.
Then there is also some kind of problem with driver modules (like in the ROM on PCI cards) also having to be signed, but apparently it has to match the OS key, and there's no room for more than one signature. So of course they'll get signed for Microsoft's key. This is bad, but it really doesn't have much to do with the particular problem at hand.
The problem I see is that the master key is revokable if a particular OS boot loader is determined to be insufficiently secure. No, your BIOS isn't going to get on the internet and update itself every time you boot (but let's not give Microsoft any ideas) and one day refuse to work; the problem is that six months from now, the BIOS in all the new motherboards on the market would say "hey this Fedora key, someone told me it's no good!" And people installing Linux for the first time would again have to manually disable SB until a new key and bootloader are produced. Since Fedora's goal was a no-fuss install, this is a failure.
And then there's the looming issue of what happens if Microsoft decides to require that SB not be disabled, as they have done on ARM. Sure, there are already a lot of ARM tablets that will never run W8, but if you get a good deal on a used or clearance W8 tablet, it's useless for anything but W8. But what happens if Microsoft decides that a manufacturer can't get a W9 sticker if you can disable SB?
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Unless I'm very much mistaken (please feel free to correct me) I'm seeing a lot of incorrect information around this. As I understand it: A) You can turn it off by going into the BIOS. Then you can boot anything you like. B) Each boot-loader for each individual OS requires signing by the manufacturer. As I understand it, Redhat were asked if they would be the custodians of 'one true' Linux key and they didn't want to be responsible for it on behalf of other distro makers. C) Redhat approached PC manufacters who were very receptive to their key being included with all hardware, however Redhat felt there would be an impression that they were levaraging their size as unfair competition. D) MS offered to sign distro's and OS's with their own key as long as the maker was registered with them for $99 which is surely below cost. Ideologically it is not ideal I agree but it could be worse no? Ideally some garanteed impartial third party would sign all OS's from one key. But who? Thanks for reading
So what's to prevent RedHat, or anyone else, from paying the $99 for a key, and then publishing it? This would let anyone sign their own distributions. If it can work, I'd happily post an oldmacdonald key.
I think people are blowing this secure boot problem a little out of proportion, and many like the author here are inferring that the problem is with UEFI its-self. I see UEFI as a good thing (as it has been for several years on the systems that already support UEFI). In the author's example, they complain that someone who rolled their own linux distro wouldn't be able to install it. This is a laughable idea to me, if someone has the skills to roll their own distro, why would they have a problem figuring out how to go into the UEFI config and disable secure boot? Second, we're really only talking about oem crapmachines like dell and HP/Compaq and the like which will have secure boot enabled by default to meet the Microsoft Windows8 logo certification. If an OEM like that sells machines with linux, I'm pretty sure the machine with ALSO ship with no secure boot and no logo sticker. If a user buys a machine, pays for a windows license, and still wants to wipe it out and run linux.. Somehow I fail to see how making one change in the UEFI config is a big deal.
If a user buys an asus (or whatever brand you like) motherboard, it's not going to be Windows 8 logo certified because it isn't a whole computer and I would hope would not have the secure boot enabled by default.
So, I think this is a case of mountains being made out of molehills. I only care because things like TFA seem to place the blame inappropriately on UEFI, and I've been waiting for UEFI on my machine for a very long time!
the UEFI secure-boot feature required to run Windows 8.
The only people affected by this are people who have supported MS by buying MS-spec hardware.
$99 for a keying license vs Sony's policy of simply not allowing other OSes ... I'd say, lesser of two evils.
-- A change is as good as a reboot.
In that case they'll simply revoke your key and you'll have to pay for another one (if you can even get one at that point). If Microsoft loses their key, it won't get revoked. See the SSL certificate issue they've had recently, a root CA would (and should) immediately revoke the whole Intermediate certificate if that happened with a small company but because it's Microsoft they won't.
The point of the system is that large vendors (like Microsoft) will have keys and you won't. Also malware creators (good ones that operate on a state-level) will have the keys (see DuQu, Stuxnet etc. for examples). But YOU won't.
Also, to insert/revoke keys there has to be an OS to EFI link (just like Mac OS X has one) so that will be the point where it will be exploited.
Custom electronics and digital signage for your business: www.evcircuits.com
Given that they talk about updating the set of keys, I'd be surprised if they couldn't revoke keys that are found to have leaked. They could also likely track back the signed code to the key that signed it, and thus put you on the spot.
Redhat could conceivably make their grub only load redhat-signed code by default. Might make sense for RHEL, maybe not for Fedora.
I remember a salesman from IBM coming to show us one of the early Microchannel machines.
He proudly told us about its wonderful security feature: if you changed any hardware, you could not boot it unless you had a magic floppy disk containing some magic security files.
Then he switched it on to demonstrate it. It was as dead as a dodo. He then remembered that he had removed a network card just before bringing it to us. And he had forgotten to bring the magic floppy with him.
Exit one very red-faced salesman. And we vowed never to buy any of that crap.
There are a couple things about Garrett's blog that have mystified me. I'm not saying he's wrong or anything, just that he says some things which can only possibly make sense, if there's something else which isn't be said. Seriously, please help filling in the blanks.
What happens if someone did that, but didn't take the "responsibility" seriously and didn't spend the millions of dollars? If there were a "Linux" signing key, but it were released to the public so that anyone (including malware authors) could sign their bootloader to UEFI's satisfaction, that would obviously nullify the point of secureboot but other than that, what would be the consequences?
Does someone have to post a bond to get a signing key (i.e. if you leak your key, it contractually costs you n megadollars)? Or is there some key revocation process, where that fact that some signing key is no longer trusted by the UEFI central authority, is somehow magically signalled to millions of Flash ROMs?
Neither of those ideas bear scrutiny. Is there a third deterrent?
(Where if I understand this correctly, the "very simple bootloader" is the thing that Microsoft is signing.) Why check that grub2 is signed, instead of just loading any old grub2? Obviously, the answer of course, is that doing that would defeat the point of secureboot but nevertheless it solves the problem created by UEFI. Other than making secureboot irrelevant, what would be the consequences of that?
Again: why? So what if the kernel or a kernel module lets you touch the hardware? At that point you've already booted and taken control of your machine, so secureboot can't stop you. Garrett's project has succeeded at letting Red Hat customers run Red Hat on their UEFI machines with default settings at this point. The problem is over, isn't it?
One idea that leaps to mind is that if Red Hat didn't say their bootloader would only load signed grubs2 and their grub2 would only load kernels which prohibit loading untrusted kernelspace code (e.g. unsigned modules), then Microsoft would refuse to sign their initial bootloader. But saying things and doing things are two different things. It's inconceivable that for a $99 fee, Microsoft has guaranteed that the Red Hat kernel never under any circumstances run not-Red-Hat-blessed code. I'm convinced their strategy can't be based on code-auditing or statements from those who create the code, that the code will never run other untrusted code. That's not viable. If you could audit a who kernel for $99 then Theo deRaady woudl be out of a hobby.
"Obvio
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Paying this fee to Microsoft will help guarantee Red Hat's remaining on top of the Linux world. They can afford to pay it. Many of their competitors probably can't.
Wow. I swear I used a real keyboard for that, not a tablet. Oh well.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
But you need to boot into the bios to do it, and RedHat doesn't want to make everyone do that just to boot Linux.
Then of course there's the conspiracy theory that says that just because UEFI supports it doesn't mean that all the vendors will actually give users the ability.
Under secure boot, the hardware validates the bootloader, the bootloader validates the OS, and the OS validates the userspace code.
Redhat could easily write some userspace code to talk to certain parts of the hardware and sign it with their key and it would be allowed to run just fine.
Currently you can stick in a USB stick and boot from it into a live RedHat image.
Under secure boot, if they go this route that will continue to work. If they go the self-registered route they need to get people to reboot into the BIOS, either add in a new key or disable secure boot, then reboot.
For most of us here this is no big deal, but for my grandma that would be a showstopper.
For installing onto your own machines you can add in arbitrary new keys for free.
If I want to create my own distro and allow other people to install it _without disabling secure boot or manually adding new keys_ then I need to pay $99.
Incidentally, it costs $99 to publish apps to the Apple app store, so this doesn't seem like a crazy price.
Red Hat pays $99 once to get their key included in the BIOS. This lets them boot up their bootloader (signed with their key) which then boots whatever they decide to allow--could be OS kernels signed with their key, could be arbitrary stuff. I'd guess that RHEL might lock things down tight by default, with Fedora being more permissive.
There is no per-machine fee.
"No thank you" to an offer to pay $99 to allow me to configure hardware and firmware that I have already paid for. I know which PCs I will not be purchasing.
Microsoft requires that UEFI machines hold only one key. If they revoke one key, well, that is the only one...
Rethinking email
means: we're too lazy to hash this out now but we'll be sure to act surprised when they screw us later.
Yet another reason to get better x86 support into u-boot. U-Boot is already everywhere, and seems to have won the race to be a BIOS replacement on every new platform. It works really well, POSTs and configures the machine generally in under a second, understands FAT/EXT2/etc well enough to directly load a linux kernel, yet is low level enough to just load a MBR like bootloader,etc.
Basically, it does what the BIOS should be doing (configure basic RAM/CPU/Disk/network, only enough to start something else).
Frankly, as I sit here waiting for my nice new IBM desktop machine to waste 5 minutes rebooting UEFI, I just want to smash the machine.
Yes, I also think they'll act, too bad they didn't do anything yet. If they wait too much, whatever they do won't make any difference. What are they waiting for?
Rethinking email
Can we disable Intel Insider? Who is asking for these Trusted Computing mechanisms? Surely it isn't the customers. I wouldn't want an UEFI motherboard with Secure Boot, and I won't be buying a Sandy Bridge chip either. I never found myself wishing my computer was more locked down.
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
So don't fucking by an ARM device. How hard is this? There are already lots of ARM devices with forced secure boot.
Some kind souls are trying to disassembling UEFI
http://board.flatassembler.net/topic.php?t=14306&postdays=0&postorder=asc&start=0
Muchas Gracias, Señor Edward Snowden !
Buttle, pulling out UEFI chip: "Ah, there's your problem."
Lowry: "Can you fix it?"
Buttle: "No, but I can replace it with this."
How is this not extortion?
That used to be illegal.
I'm a huge Linux supporter--been using it full time for going on 9 years--but I'm also realistic. I don't think MS shooting themselves in the foot with Windows 8 will help desktop use of Linux as much as you think. Apple, sure, but Linux doesn't have enough mindshare among the public to get major OEMs to consider offering Linux preinstalled for consumers. Dell practically gave up on their Ubuntu offering, sadly.
I think it will take much longer for Linux to really benefit from MS's spiral. Maybe in a few segments of enterprise markets, but most won't want to use CrossOver Office. I think what is more likely is for MS to focus more attention on Office and other products and very slowly cede OS marketshare. Most consumers still care more about gaming and random Windows software, and that will hold back Linux adoption there.
Also, KDE and GNOME have, sadly, not reached the potential they had, say, five years ago. They could be killer by now, better and prettier and easier than OS X, but other than their FOSS values, they're no better than equal. They've become bloated and awkward, and they don't care enough about the product aspect to polish anything; they just keep adding stuff, letting half-baked stuff rot, and fantasizing, releasing components that are years away from being ready for general release (eg Akonadi, Nepomuk). The CADT model is the norm, and that doesn't make for a polished product that can compete with OS X in general markets.
But as long as Linux remains usable on desktop hardware. I'll be happy. I just hope this UEFI stuff isn't the beginning of. "First they came for the ..., and I said nothing..." In five years will it still be bypassable, or will that be a DMCA violation? Will we have to get a BIOS crack off TPB just to install Linux?
Holding back the tide gets tiring.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Yes. Thanks for all that.
My concern is, what is their next move? What about the specification for UEFI 2? Will the bypass still be required? Will that be a DMCA violation?
Also, sadly, requiring the BIOS bypass will probably hurt Linux adoption by the general public more than you think. If people perceive it as disabling safeguards, many people will perceive Linux as dangerous. Being ignorant of the tech and of Microsoft's maneuvering, it's practically inevitable.
Apple probably stands to gain the most in the next 5 years.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."