[coreboot] Feedback On Coreboot: the Solution to the Secure Boot Fiasco

ron minnich rminnich at gmail.com
Thu Jan 3 19:40:21 CET 2013

OK, after further thought, here's my take.

Two companies have defined a secure boot standard in such a way that
they can closely control what boots on future systems using the one
company's chips. This is a sea change from the original IBM PC design,
which encouraged people to boot anything, and included the
(copyrighted) BIOS listing on paper to further that end.

The current state is that the software company is becoming the
gatekeeper for what OS will run on systems built using the hardware
company's chips. Their end goal is that the software company becomes
the gatekeeper for what runs on almost *anything* -- not just x86.
Don't believe me? Read about ARM systems and Windows 8.

Vendors are now building systems based on this standard. People are
seeing that the situation is not quite as blissful as the two
companies have painted it -- that certain software will in fact be
locked out for a number of reasons, that there can be unexplained
delays in getting code signed, and that buggy EFI implementations may
lock people out in unforeseen ways.

The open source community's response has been to act in a way that
strengthens this model. They're doing all they can to find a way to
work inside these limits. Instead of pushing hard to use only hardware
that's really open, and doing what they can to relegate this (shown to
be insecure) "secure" boot to the dustbin of history, they're pushing
as hard as they can to make it succeed.

I find this quite perverse. There's lots of good hardware out there
that is not built around this lockin, and yet the open source
community is focusing lots of effort on making the lockin viable.

The open source community has pushed back on defective standards like
this before and won. Why they're rolling over now is a puzzling,
especially given the existence of alternatives. Put another way, I
think the secure boot standard needs the open source community more
than the open source community needs the secure boot standard, but the
open source community is not exploiting that fact. I guess part of it
is that so much of the open source community is contained in big
companies, but it's stil disappointing.


More information about the coreboot mailing list