[arch-general] UEFI secure boot

Wed Jun 6 07:35:15 EDT 2012

On Tue, Jun 05, 2012 at 04:54:58PM -0400, Joe(theWordy)Philbrook wrote:
> 
> It would appear that on Jun 4, Alexandre Ferrando did say:
> 
> > On 4 June 2012 22:27, Sudaraka Wijesinghe <sudaraka.wijesinghe at gmail.com> wrote:
> > > If this is a poll, I vote "Arch should require Secure Boot to be disabled"
> > >
> > > I choose a distro like Arch because it doesn't have a financial motive
> > > and will not give into market pressures such as this.
> > > If we want keep hardware vendors from forcing Secure Boot on us, we have
> > > to send the message out that we don't want it. Paying a "small" price of
> > > M$99 is not the way.
> > >
> > > However as free software users, we will have to endure some hard time in
> > > the coming days when getting new hardware.
> > >
> > > Just my two cents.
> > >
> > > Sudaraka.
> > >
> > 
> > I'd like to add something to what Sudaraka said:
> > 
> > Arch doesn't seems to have the same kind of user than fedora, Arch if
> > I don't remember it wrong, tends to be aimed for a competent user.
> > Such a competent user can disable secure boot in x86 devices. (ARM
> > devices doesn't seem a problem to Arch because  we don't do ARM)
> 
> And to that it appears that on Jun 5, Lukáš Jirkovský did add:
> 
> > Assuming the Arch Users are competent, I'd rather let them add an Arch
> > Linux key to UEFI without disabling Secure Boot. This way Arch would
> > work with Secure Boot with added security of no one messing with
> > bootloader in a harmful way.
> 
> 
> Speaking as an Arch user who is just barely competent enough for Arch with
> much dependence on google and Arch's most excellent wiki, I'd like to see
> Arch continue to do what I see as one of it's strong points.
> 
> Yes it insists on it's users having a certain level of competence. But it
> generally seems willing to include fairly detailed step by step tutorials
> and guides in it's wiki, to help those with less (or outdated) technical
> expertise become more competent.
> 
> So how about somebody who knows how to disable secure boot on x86 devices
> post a good howto in the wiki (or if that would be reinventing the wheel, a
> link to a good external guide.)?
> 
> And likewise, in case some Arch user should inadvertently acquire some PC
> where somehow the firmware option to disable "Secure Boot" wasn't there. How
> about somebody who knows how to add an "Arch key" to UEFI, posting a wiki
> tutorial for that?
> 
> Speaking for myself, I know I wouldn't have a clue how to do either without
> a good tutorial. And it's starting to sound like I'm going to have to know
> how to do one or the other by the time I'm ready for new hardware...
> 
> My current desktop is from 2005, and it hasn't shown any signs of failing
> {yet}... {{Please God let me find such a tutorial when it does fail...}}
> 

This is the arch-general mailing list not the microsoft windows mailing
list so why are we discussing this??

MS Windows needs secure boot because it is subject to so many malware
attacks, Arch Linux does not.

Arch Linux is a miminalist distribution and each user adds his/her own
customizations to their own setup.

Do we want to lose this option because M$ is too lazy or does not want to
do its job correctly. This is typical M$ BUMF make the user pay and screw 
them for all they can.

Each certificate will have to be privately signed because there is no
standard Arch Boot Procedure. 

BTW I read and understood the discussions referred to in the links to this
thread. 

John