But this breaks automatic updates without entering the BIOS
Maybe I’m misunderstanding a technical aspect here, but wouldn’t only the bootloader need to be signed? To my understanding a tamper-proof system already assumes full disk-encryption anyway, so any kinds of automatic updates would be happening in a black box anyway, wouldn’t it?
and is just not feasible except for the PC on your desk at home
That’s probably a different and more value-based discussion and I’m quite sure you didn’t intend it that way, but it’s hard for me to put into words how much this sentence structure offends me 😅
A benefit to the users in front of their personal computers can never be an exception, it is (… ought to be) always the point of everything, the end goal. Having a solution that benefits end users and puts other entities at a disadvantage is always preferable over a solution that puts end users at a disadvantage for the benefit of other entities.
I think I understand why you are offended by this sentence and I’m with you on the benefits of user freedom.
For the first part, yes, technically only the bootloader has to be signed, after that the bootloader is trusted and should do “the right thing”.
What I meant was that manually entering the BIOS after an upgrade of the thing you want to boot into (e.g. grub) is not an option for computers that you can’t easily access physically, especially in large numbers and located somewhere other than your home. IMHO the system is not “silly”, but works well in these scenarios. I agree, that it is not designed to be convenient for end users.
But this breaks automatic updates without entering the BIOS and is just not feasible except for the PC on your desk at home.
Maybe I’m misunderstanding a technical aspect here, but wouldn’t only the bootloader need to be signed? To my understanding a tamper-proof system already assumes full disk-encryption anyway, so any kinds of automatic updates would be happening in a black box anyway, wouldn’t it?
That’s probably a different and more value-based discussion and I’m quite sure you didn’t intend it that way, but it’s hard for me to put into words how much this sentence structure offends me 😅
A benefit to the users in front of their personal computers can never be an exception, it is (… ought to be) always the point of everything, the end goal. Having a solution that benefits end users and puts other entities at a disadvantage is always preferable over a solution that puts end users at a disadvantage for the benefit of other entities.
I think I understand why you are offended by this sentence and I’m with you on the benefits of user freedom.
For the first part, yes, technically only the bootloader has to be signed, after that the bootloader is trusted and should do “the right thing”.
What I meant was that manually entering the BIOS after an upgrade of the thing you want to boot into (e.g. grub) is not an option for computers that you can’t easily access physically, especially in large numbers and located somewhere other than your home. IMHO the system is not “silly”, but works well in these scenarios. I agree, that it is not designed to be convenient for end users.