Re: Of course! @Stuart again
"Thankfully on x86, the requirement is that the user must be able to add their own keys. This is not a trivial process however and differs between UEFI implementations. So immediately, anyone who has a desire or need to run an OS other than one of the select few, has a few more hurdles to jump over."
You are correct. Then again, security is not easy and if you desire to use any type of trusted boot you'll be installing certificates or TPM-like hardware. If you want to boot into an OS that isn't covered by the preloaded keys you'll just have to disable the Secure Boot thingy. No OS that I know of requires Secure Boot and probably never will on x86.
"Ever tried getting into the UEFI setup on a modern x86 machine? You need lightning quick reflexes, and an educated guess as to what button to hit! Been there, done that on a few machines."
The "educated guess on the correct button" for entering setup is just as problematic with or without UEFI. Cold boots help if you're too slow to react. ;-)
"Others have pointed out that there is a lot of code in the UEFI kernel."
I'm not disagreeing with that.
The whole debacle with UEFI reminds me a lot of the introduction of ACPI back in the 90s. Linus et al. were cursing it since it was much more complex code and thus prone for bad implementations (which was true) but it brought noticeably better power savings than APM from the get-go and my problems with ACPI have been with the computers before WinXP era.
"With the rush to get things to market, you can bet your bottom dollar that manufacturers won't be testing their code to ensure it's safe from malware (the intended target for Secure Boot), but you can guarantee the blackhats will!
How do you propose they could ensure safety from malware? No-one does that and I still haven't found a vendor that didn't have bugs in their security software.
"I therefore believe that while there were some noble ideas in Secure Boot, it in all probably will not achieve what it ultimately set out to achieve"
So far I haven't seen reports of bypassing it. I'm sure there are bad implementations though.
"and will instead cause grief with all the additional things that can go wrong."
Look, there's all sorts of stuff that will cause grief to some parties, be it any new technology or the lack of it. OpenSSL has fucked up royally and caused lot of grief yet I'm still using their tech.
So far the Secure Boot problems i've seen and heard of have fallen into one category: how do I turn it off?