From mboxrd@z Thu Jan  1 00:00:00 1970
From: George Dunlap <george.dunlap@eu.citrix.com>
Subject: Re: Xen 4.3 development update, and stock-taking
Date: Thu, 17 Jan 2013 17:22:49 +0000
Message-ID: <50F83369.3060607@eu.citrix.com>
References: <CAFLBxZZrWH9mT88tPsvBe1C7cJYA8UBBr1XxXUt4S26Df=bzzg@mail.gmail.com>
	<50F7CDBF02000078000B6A95@nat28.tlf.novell.com>
	<50F7DCA2.1070405@eu.citrix.com>
	<50F801F102000078000B6CEE@nat28.tlf.novell.com>
	<50F80378.4070105@eu.citrix.com>
	<50F815AC02000078000B6DC2@nat28.tlf.novell.com>
	<50F80B95.3010005@eu.citrix.com>
	<50F8270902000078000B6E48@nat28.tlf.novell.com>
	<50F81D33.9030200@eu.citrix.com> <50F820FB.1080502@eu.citrix.com>
	<50F832D802000078000B6EE6@nat28.tlf.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <50F832D802000078000B6EE6@nat28.tlf.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On 17/01/13 16:20, Jan Beulich wrote:
> But there might be some fundamental understanding issue here:
> I take it that it is not a property of a system whether one wants
> secure boot, but a request of the owner of the system. If (s)he
> wants to boot securely, then of course anything that isn't signed
> doesn't even get loaded. If (s)he wants to boot "normally", the
> shim gets left out of the picture, and off we go. But maybe I'm
> wrong with that?

As I understand it, the whole reason Fedora and Ubuntu are going through 
this whole hassle with secure boot is:
* Microsoft requires a system to ship w/ secure boot enabled to get "MS 
Certified" for Windows 8
* The vast majority of desktop systems will be shipping with Windows 8, 
and so will want to be certified
* Therefore the vast majority of desktop systems will ship w/ secure 
boot enabled
* MS requires that secure boot be able to be disabled; however
* Each EFI system will be different, so it will be impossible to provide 
instructions on how to do so
* Furthermore many EFI systems may be buggy, so it may still not be 
possible to disable EFI

So the vast majority of desktop systems, saying that secure boot was "a 
request of the owner of the system" is false.  They didn't ask for it to 
be turned on, and it may be difficult or impossible to turn off.

  -George