UEFI is a new hardware standard nominally aimed at stopping malicious software, but it could also make it illegal to replace Windows or MacOS with GNU/Linux on your computer. The Linux Foundation has written a technical memo for hardware vendors explaining how they can ship PCs that still protect users from malware, without putting them in legal jeopardy for running free operating systems:
The recommendations can be summarized as follows:
All platforms that enable UEFI secure boot should ship in setup mode where the owner has
control over which platform key (PK) is installed. It should also be possible for the owner to
return a system to setup mode in the future if needed.
• The initial bootstrap of an operating system should detect a platform in the setup mode,
install its own key-exchange key (KEK), and install a platform key to enable secure boot.
• A firmware-based mechanism should be established to allow a platform owner to add new
key-exchange keys to a system running in secure mode so that dual-boot systems can be set
• A firmware-based mechanism for easy booting of removable media.
• At some future time, an operating-system- and vendor-neutral certificate authority should be
established to issue KEKs for third-party hardware and software vendors.