At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.
The presentation is silent on whether OEMs can or should provide support for adding custom certificates.
(Score: 1, Interesting) by Anonymous Coward on Saturday May 30 2015, @09:04AM
Yes, it does make a practical difference. It is a pain in the arse to sign all your boot code. Maybe you could install someone else's key that most distros then use, but if it widely available to be used for signing it won't make good security, and at that point you might as well turn it off.
Yes secure boot does really make it more secure, but the risks are minimal for me anyway, and thus the benefits of having it disabled are outweighed by the risks of having it disabled.
To clarify I'm just referring to my own risk/benefits, I recognise that it can be an overall benefit to many users and am not trying to argue otherwise.
And it increases the barrier to entry reducing the number of new users willing to give it a try.
(Score: 2) by maxwell demon on Saturday May 30 2015, @11:01AM
Then someone should write an utility that makes it easy. I don't see why the utility would need an user interface more complicated than
where the first argument is the name of the unsigned boot loader file, the second names the file containing the private key, and the final argument specifies where to write the signed bootloader.
The Tao of math: The numbers you can count are not the real numbers.