[quirmian]

I see arguments (like one of replies to your comment here), that you can turn off Secureboot - so simple, much wow.

Not all firmware allow you to turn off secureboot or enroll your own keys. You’ll see plenty of this on bios-mods.com if you want to know what that looks like. It also really throws into sharp relief questions around things like device ownership.

Let me tell you about my experience with an Amazon DeepLens device (x86-64) that I’ve been trying to get stock Ubuntu installed on. The only keys on this device are Amazon ones. This means I cannot install any OS other than the one they supply (a modified Ubuntu 16.04 install). If I own the device, shouldn’t I be free to install my own OS? If I own the device, and have physical control of it, I should be able to bypass secureboot, period - but not always the case today.

[cyphar]

> Not all firmware allow you to turn off secureboot or enroll your own keys.

Being able to disable Secure Boot and install your own keys is a requirement of the Windows 8 and 10 advertising requirements, so manufacturers almost always allow it so they can get some money from Microsoft for advertising.

That doesn't mean it's always possible, but I would humbly suggest that we shouldn't purchase such devices so that companies who make those devices learn to stop doing that. The fact that Microsoft managed to pull this shit with Windows RT is disgraceful.

> It also really throws into sharp relief questions around things like device ownership.

I don't disagree at all, and I do think that it's something we need to be very mindful of. But Secure Boot does solve real security problems.

> If I own the device, shouldn’t I be free to install my own OS? If I own the device, and have physical control of it, I should be able to bypass secureboot, period - but not always the case today.

I completely agree. Amazon shouldn't be allowed to sell such devices. But that doesn't invalidate Secure Boot as a concept, nor is it the fault of Ubuntu or anyone other than Amazon.

[quirmian]

I can see how Secure boot solves real security problems. And I am definitely not blaming Ubuntu here.

However, it’s unfortunate that the Secure Boot technology (or maybe this is a licensing thing) by default does not make prescriptions, and that we’re reliant on the device manufacturer’s good will to see it implemented correctly.

[shawnz]

How could a technology itself make prescriptions about the ways that the manufacturer lets you configure it?

[Ao7bei3s]

Through licensing and/or certification requirements. Large companies take compliance serious.

[matheusmoreira]

> It also really throws into sharp relief questions around things like device ownership.

There's no question about it: it's not ownership if the user doesn't have the keys to the device. The purpose of this technology is to ensure users can't run unauthorized software. Whoever authorizes the software is the true owner of the machine.

There are legitimate applications for this. Whether it's empowering for the user or not depends on how it's implemented. If people can use their own keys to sign the software they trust, it's fine. If they can disable the security, it's fine.

It's a problem when software is authorized by corporations or governments. That means the users of the machine are merely guests who are allowed to use the hardware provided they follow the rules. This is the true purpose of this technology, regardless of any potential benefits for users. The multi-billion dollar copyright industry would love it if this was the default for all computers. It's the only way they can guarantee the artificial scarcity of copyrighted works in the 21st century. Governments would really like to regulate software as well: encryption is far too powerful, it has the potential to frustrate even intelligence agencies and they can't deal with the fact civilians have free access to it.