感谢richard.gk的投递
从不久前的富士通UEFI boot触屏笔记本只能安装windows 8开始，到如今最火热的Windows On ARM 基于tegra3的 Windows Surface，他们都描述着2012年geek们最大的噩梦，操作系统单一不可更替。从微软推出UEFI规范后，Linux社区就开始强烈抨击其险恶用心，称这是最大的封闭，对硬件，对系统的封闭。

虽然微软和各大硬件厂商在windows 8未推出前，逐步使用了UEFI替代旧有BIOS系统，并声称不会锁死在单一系统启动要求上以及不停渲染UEFI带来的启动优势。


然而我们都知道，既然已经掉了一只靴子下来了，另外一只也肯定会掉下来。

UEFI成为2012主板新的规范已经被行业所接收，而且如其推广是承诺的那样，没有锁死启动系统的限制，以及对启动过程有着明显的提升让广大用户为其欢呼呐喊。而冷静的Geek们都看着这一切并不停祈祷着这一切都是杞人忧天。然而，在世界末日没有来临的2012，拥有标志性的WOA产品开启了UEFI锁定启动的新时代。

是的，这不是硬件本身的限制，而是产品厂商人为的限制。Tegra3在Android平台已经拥有了广大root用户群，Ubuntu也似乎在数天内会发布Ubuntu On Tablet/Nexus 7 / Tegra 3来表示linux开源社区正式进入移动市场，突如其来的消息让美梦变成了噩梦。

来自phoronix和Matthew Garrett的反馈

Linux On The Microsoft Surface Won’t Be Easy Posted by Michael Larabel on December 29, 2012

If you were hoping you would be able to run your favorite Linux distribution on Microsoft’s new Surface Tablet, it doesn’t look like it will be an easy task to accomplish.
After going through the state of Linux distributions handling SecureBoot, UEFI-guru Matthew Garrett confirmed via his blog that Linux on the Microsoft Surface is likely a lemon.
The challenge with loading Linux (or any non-Microsoft operating system) on the new ARM-based tablet is that while it implements UEFI SecureBoot, it doesn’t have the “Microsoft Windows UEFI Driver Publisher” key. This is the key used to sign Windows drivers and other non-Microsoft software (e.g. the signed Linux UEFI boot-loaders). Microsoft meanwhile has its own private key and this is the only UEFI SecureBoot key present on the Surface. Without the Surface having the “Microsoft Windows UEFI Driver Publisher” standard key, it’s simply not a matter of having OS boot-loader be signed already to have support for this tablet. Microsoft only wants its OS on their tablet.
The Microsoft Surface tablet is based upon NVIDIA’s Tegra 3 (T30) SoC with quad-core ARM Cortex-A9 1.3GHz processor, 2GB of RAM, storage capacities of 32GB or 64GB, and runs the Windows RT operating system. Being based upon the common NVIDIA Tegra 3 SoC, the hardware itself isn’t too attractive or unique. You can already find plenty of other Tegra 3 tablets on the market capable of running Android/Linux like the ASUS Eee Pad Transformer Prime, Google Nexus 7, Lenovo IdeaPad Yoga 11, and NVIDIA’s Cardhu reference tablet.
As Matthew mentions in his post, loading Linux or any other operating system to this first-generation ARM-based Microsoft Surface tablet would likely involve finding a vulnerability within the device’s firmware in order to execute arbitrary code.

由于微软通过UEFI限制了Tegra3的启动方式，整个root以及替换操作系统变得几乎不可实现，就算将来实现了，也一定不是替换原操作系统，而是嵌入的方法。

It’s after Christmas, and some number of people doubtless ended up with Windows 8 PCs and may want to install Linux on them. If you’d like to do that without fiddling with firmware settings, here are your options.

Ubuntu 12.10
The 64-bit version of Ubuntu 12.10 ships with an older version of Shim that’s been signed by Microsoft. It should boot out of the box on most systems, but it doesn’t have some of the most recent EFI patches that improve compatibility on some machines. Grab it here.

Fedora 18
Fedora 18 isn’t quite released yet, but the latest 64-bit test builds include a Microsoft signed copy of the current version of Shim, including the MOK functionality described here. Fedora 18 has some additional EFI support patches that have just been merged into mainline, which should improve compatibility on some machines – especially ones with Radeon graphics. It also has improved support for booting on Macs. You can get it here, but do bear in mind that it’s a test release.

Sabayon
According to the wiki, Sabayon now supports UEFI Secure Boot out of the box. I don’t know if the current CD images do, though. My understanding is that it’s based on the Microsoft signed Shim I discussed here, and you’ll have to manually install the key once you’ve booted the install media. Straightforward enough.

Other distributions
Suse will be using a version of Shim signed by Microsoft, but I don’t think it’s in any pre-release versions yet. Debian have just merged UEFI support into their installer, but don’t have any UEFI Secure Boot support at the moment. I’m not sure what other distributions are planning on doing, but let me know and I’ll update the list.

The Linux Foundation loader
The Linux Foundation have still to obtain a signed copy of their bootloader. There’s no especially compelling reason to use it – the use case it supports is where you have users who can follow instructions sufficiently to press “y” but not to choose to enrol a key. The most interesting feature it has is the ability to use the MOK database via the usual UEFI LoadImage and StartImage calls, which means bootloaders like gummiboot work. Unfortunately it implements this by hooking into low-level functionality that’s not actually required to be present, so relying on this may be somewhat dubious.

没被锁的UEFI已经逐渐在新版linux系统中被兼容和使用。 这双鞋子最终落地了吗？ 还没有，但愿这个噩梦会通过UEFI – linux – Sercureboot组织的努力，最终融入硬件厂商下一代UEFI bios的标准中，而不是现在这一套由微软主导的，产品厂商自行控制的UEFI所独占吧。

 

信息来源：http://www.cnbeta.com/articles/220408.htm