One of the most important people in the Linux world regarding secure boot is Matthew Garrett, recently of Linux giant Red Hat, now with Nebula, who writes about the nuances between secure boot and restricted boot in this post.
Here is a meaty quote:
The x86 market remains one where users are able to run whatever they want, but the x86 market is shrinking. Users are purchasing tablets and other ARM-based ultraportables. Some users are using phones as their primary computing device. In contrast to the x86 market, Microsoft’s policies for the ARM market restrict user freedom. Windows Phone and Windows RT devices are required to boot only signed binaries, with no option for the end user to disable the signature validation or install their own keys. While the underlying technology is identical, this differing set of default policies means that Microsoft’s ARM implementation is better described as Restricted Boot. The hardware vendors and Microsoft define which software will run on these systems. The owner gets no say.
And, unfortunately, Microsoft aren’t alone. Apple, the single biggest vendor in this market, implement effectively identical restrictions. Some Android vendors provide unlockable bootloaders, but others (either through personal preference or at the behest of phone carriers) lock down their platforms.
I’m no expert on UEFI or secure boot. I do know that the traditional BIOS has had its day and then some, and for that reason I believe that UEFI is a step forward that we should all welcome.
The whole secure-boot part of the equation is more troubling, since it’s Microsoft in control of the keys — literally — and it seems both complicated and cost-prohibitive to strike out on one’s own with secure-boot keys.
That’s where guys like Matthew Garrett come in: He was untangling this for Red Hat and hopefully will continue to do so — and to keep us up to date in his blog.