[ashitlerferad]

Requires purchase of a cerficate from one of the authorities Microsoft recognises (Verisign/Digicert/...) and then the signature of Microsoft on compiled bootloader code. Either way, you have to pay and you have to get Microsoft's permission.

[geofft]

It certainly does not require FOSS users to purchase a license. There is already a shim loader signed by a MS-recognized authority, which ships with a signed copy of MokManager, which lets you register a "machine owner key" of your own choosing. You can then use that key to sign kernels for your own machine, or for anyone else who wants to go through the on-screen enrollment step to trust your key.

https://mjg59.dreamwidth.org/20303.html

No additional money has to change hands between anyone, and no additional permission needs to be granted from Microsoft to anyone. (You have to get the permission of someone with physical access to the machine during boot, but if your goal here was FOSS users controlling their own computing, it's a good thing that that permission is required.)

[snuxoll]

IFF you want to support the default set of keys installed on computers that ship with Windows. Secure Boot does not prevent you from installing your own keys, in fact most linux distributions do this already and just use a shim loader signed by Microsoft, the rest of the chain is signed by custom keys (the keys are silently and automatically installed for you).

[vetinari]

> IFF you want to support the default set of keys installed on computers

Which happens to be a case if you want to use a extension card with its own BIOS. If it is signed, what key is used? Can you resign with your own?

[drdaeman]

IIRC, Secure Boot spec said there must be multiple trust anchors, i.e. it's not like "user's own or Microsoft", but there can be any combination of trusted CAs (and I bet there's NSAKEY somewhere, huh).

I'm not sure about the implementations and real-world situation, but as far as I get it, with X.509 with Secure Boot generally uses, one should be able put the exact card's vendor certificate (not MS CA root one) to trust the extension card. (Sadly, I think there's no way to trust one specific signature.) I guess that's probably very non-trivial in practice.

At worst, one should be able to put their own CA (to sign their own software) and be forced to add MS CA to trust the third-party software as well. But - if UEFI implementation allows user-defined CAs - it should be possible to run your own code without asking Microsoft's permission.

[snuxoll]

You can add your own without wiping the pre-installed ones.

[drdaeman]

To be fair, I think this is only for tablet & mobile.

On desktops and laptops I've seen, there was a way for end-user to upload their own trusted certificates and use those instead of Microsoft ones, and I think that's when done like this (when, whatever the defaults are, end-user can get in control), Secure Boot is a good idea - even though the implementations are not.

I guess there must be some ignorant (or malicious) desktop/laptop vendors that don't provide key management options, but hope there isn't many.