Except for that whole "secure boot" business, where I have to half-install a fedora or Ubuntu install in order to get a proper signed key, so that I can wipe the drive and install gentoo or arch.
Secure boot is optional in the UEFI spec. You don't need to enable it if you don't want it.
And a compliant UEFI firmware should let you provide your own trust keys. Which by default makes it more reputable and secure than the internet CA-model everyone else is willing to put their trust in.
So tell me what your problem is. I'm genuinely curious.
Seems windows 10 is making secure boot mandatory. This means my problem is Microsoft is still playing the "embrace/extend/extinguish" game as usual, and the Halloween Documents are still totally relevant.
Please show me a compliant UEFI firmware that allows for custom keys. I'm genuinely curious.
What it says is not that it must be mandatory, but that being able to disable secure-boot is not a requirement. It's clearly sneaky, but it's not the same.
Note also that nowhere does it say that you can no longer install your own keys.
Some parts are what I'd call "sneaky", but this Windows 10 spec is not hijacking the X86 architecture to run Windows only, like you hint at either.
As for adding your own keys, I only have Intel mobos with UEFI and I've seen menus for adding them. This article from the intel forums seems to give you some leads if you want to go looking:
Thanks for the link. That's the first time I've seen an implementation. And I've looked at a bunch of devices from different vendors.
Unfortunately, this means that i can have my own key if I avoid tablets and laptops, and only build my own hardware. I'll still have to use Canonical or RedHat's (possibly NSA/GCHQ-compromised) keys in order to have portable computing.
