No worse than without UEFI. The point is to bypass the UEFI restrictions, and rely on existing methods of trust -- like reputation and hashsum verification -- instead. Today, if I install a well known distro like Debian or Ubuntu or Fedora, I have a pretty reasonable belief that they're not trying to slip me a trojan. But it could happen.
With UEFI, there's still no guarantee that a distro won't contain a trojan. And with an all-distro UEFI-bypass key, there's still no guarantee. But in both cases, I can still reasonably believe that a well known distro isn't trying to slip me a trojan.
The point of an all-distro UEFI-bypass key is simply to avoid making the user turn off UEFI in the BIOS. So we would sacrifice the purported benefits of UEFI (anti-trojan), but we would still have exactly the same freedoms and risks that we have today without UEFI.
The Open UEFI foundation could state this clearly, so nobody has the illusion that UEFI is protecting against trojans, for the distros using the bypass key.
> "Approach #1: Create UEFI Secure Boot keys for your particular distribution, like Canonical is doing with Ubuntu."
: : : : ::
Approach #1B:
Instead of limiting it to your distro, let ALL distros share a central Secure Boot key infrastructure. Set up an open foundation to manage it.
Slashdot Mirror
"And what if my distro happens to be a trojan?"
No worse than without UEFI. The point is to bypass the UEFI restrictions, and rely on existing methods of trust -- like reputation and hashsum verification -- instead. Today, if I install a well known distro like Debian or Ubuntu or Fedora, I have a pretty reasonable belief that they're not trying to slip me a trojan. But it could happen.
With UEFI, there's still no guarantee that a distro won't contain a trojan. And with an all-distro UEFI-bypass key, there's still no guarantee. But in both cases, I can still reasonably believe that a well known distro isn't trying to slip me a trojan.
The point of an all-distro UEFI-bypass key is simply to avoid making the user turn off UEFI in the BIOS. So we would sacrifice the purported benefits of UEFI (anti-trojan), but we would still have exactly the same freedoms and risks that we have today without UEFI.
The Open UEFI foundation could state this clearly, so nobody has the illusion that UEFI is protecting against trojans, for the distros using the bypass key.
: : : : : :
Approach #1B:
Instead of limiting it to your distro, let ALL distros share a central Secure Boot key infrastructure. Set up an open foundation to manage it.