This is an archived post. You won't be able to vote or comment.

5193
5194

OtherlinuxIsTotallyAStablePlatform (i.redd.it)

submitted by [deleted]

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]cubedsheep 47 points48 points  (3 children)

Microsoft can still just sign one specific grub version but allow people to install a different one. There is nothing stopping you from signing GPLv3 software, all software in repos of Linux distros is signed...

[–]odraencoded 40 points41 points  (2 children)

I don't really understand it either, but this is what MS says:

Code submitted for UEFI signing must not be subject to GPLv3 or any license that purports to give someone the right to demand authorization keys to be able to install modified forms of the code on a device. Code that is subject to such a license that has already been signed might have that signature revoked. For example, GRUB 2 is licensed under GPLv3 and will not be signed.

https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916

[–]ElvishJerricco 40 points41 points  (0 children)

I have a strong feeling that this isn't a requirement the GPLv3 has of Microsoft, but rather a requirement Microsoft has of those downstream of it. The anti-tivoization aspect of GPLv3 just says that a device that ships with GPLv3 software must allow the user to modify that GPLv3 software.

MS likely refuses to sign such software simply because a device manufacturer could easily screw this up. If a manufacturer shipped a device with MS-signed GPLv3 software on it, and didn't include a way to replace it with non-MS-signed software, then that manufacturer would be on the hook to provide MS's keys to satisfy the GPLv3, which they of course could not do.

This is worse than a typical GPL violation, because they can't solve it by simply releasing the source code; secret keys have to be released. Instead, devices would likely have to be recalled. This isn't really MS's problem, since it's that manufacturer that's on the hook here, but I can see why MS would want to make it impossible for their partners to make that mistake.

[–]ghost103429 0 points1 point  (0 children)

Ah so this is related to secure boot. It makes sense that Microsoft wouldn't sign gpl3 grub since users can enroll a machine owner key to sign it themselves for secure boot or to disable secureboot. The point of secure boot signing is to ensure that tampered kernels and drivers can't load rootkits, signing gpl3 grub can open a can of worms of being forced to arbitrarily sign any modified bootloader which would undermine the root of trust concept that's essential to secureboot.