I would like to draw attention of your UEFI engineers and product managers to possible consequences of adopting unregulated UEFI BIOS signing.
What is this all about?
UEFI secure booting is a means of booting an operating system while making sure that pre-boot environment (BIOS, boot loader) were not compromised by virus or malware.
As such, it is a nice idea for improving PC security. However, if not implemented carefully, it may have severe consequences on the software and hardware industry.
UEFI BIOS secure booting process manages security by refusing to boot an unsigned operating system. What is worse, it may prevent you from installing an unsigned operating system (such as Linux, FreeBSD, etc), or even from installing another brand of video card!
Since there is no central authority for UEFI signing keys, and the user has no control over signing key blacklists and whitelists, the only keys that will be guaranteed to be included will be Microsoft's keys. In practice, that means user will only be able to run Microsoft Windows 8 and its successors on such hardware, and system vendor (OEM) will dictate whether broken or outdated AMD video card can be replaced by new NVIDIA card simply by including or not including NVIDIA keys in the BIOS.
Not only this further extends Microsoft's monopoly on the PC market and allows for underhanded deals between hardware manufacturers, it also removes any control over software and hardware capabilities of the PC from us consumers.
If we analyze this "security" initiative further, it becomes clear that the ultimate goal is not to protect consumers from outside threats, but to prevent them from using "insecure" systems which can allow them potentially unrestricted access to, and manipulation of, copyrighted digital content.
I am posting this here on the ISN because Intel Corporation and its engineers working on UEFI are, knowingly or not, willfully or not, acting as enablers of this potentially damaging change in the software and hardware industry.
I urge all involved parties to carefully reconsider. Major Linux distributions may overcome this obstacle, but compiling your own kernel, and tinkering with software and hardware may become impossible in the near future.
To enable progress, our systems have to be open, not locked down.
For further information on this very important issue please follow the Matthew Garrett's journal: