search

microsoft / secureboot_objects

Secure boot objects recommended by Microsoft.
Other
35 stars 11 forks source link

Embedding in an open-source hypervisor impossible with current license? #138

Open stormi opened 3 days ago

stormi commented 3 days ago

I am the lead maintainer and release manager for XCP-ng, an open-source virtualization server currently in its version 8.3.

Among our users’ needs is Secure Boot for guests. To enable it, the VMs require the appropriate certificate databases in their virtual NVRAM: PK (provided by us), KEK, db, and dbx. If these are absent, the VM loads them from the hypervisor’s disk. But first, they need to be present on the hypervisor's disk.

Currently, based on the license for the Secure Boot objects as described in the README file, our understanding is that we cannot freely distribute these files with our installer and RPM packages. This is because the restrictions in your license terms impose additional conditions that are incompatible with open-source licenses.

For example:

you may distribute the Secure Boot Objects to end users solely as part of the distribution of an operating system software product, or as part of the distribution of updates to an operating system software product; and you may distribute the Secure Boot Objects to end users or through your distribution channels solely as embodied in a firmware product or hardware product that embodies nontrivial additional functionality

We do not distribute an operating system in the traditional sense. Instead, we provide a virtualization platform. Each VM has its own operating system.

Additionally, there is no firmware product or hardware product involved in our case, as our product is entirely software, functioning to some extent as hardware and firmware, like any virtualization system. For instance, we use EDK2 to provide virtual firmware to UEFI VMs.

copying or reproduction of the Secure Boot Objects to any other server or location for further reproduction or redistribution on a standalone basis is expressly prohibited

Although we would not distribute the objects on a standalone basis, these restrictions (and those highlighted above) conflict with the principles of Free Software and its licenses. We cannot impose additional constraints on our users, such as "you can use our product, but you cannot redistribute parts of it because Microsoft’s terms forbid it."

This significantly hinders our ability to deliver a seamless experience to our users, who must individually download the Secure Boot objects to add them to their XCP-ng servers.

I hope that the license terms described in the README file have been superseded by the BSD license included in License.txt. Please confirm whether this is the case. A fully free license for these objects would be excellent news.

Flickdm commented 3 days ago

@stormi I'm looking into this and will follow back up as soon as possible!