You have it backwards. One company holding the keys hurts personal choice for everyone.
And again you conflate software freedom with personal freedom. The needs of any particular piece of software are outlined in its license. My personal choice is to prefer hardware that works fine without non-free software, because I need a different level of trust than you.
> One company holding the keys hurts personal choice for everyone.
I understand why you like to hate on Microsoft (they have a long track record of playing dirty), but the actual keys that are preloaded into hardware that ships with UEFI are ultimately the choice and responsibility of individual OEMs (Lenovo, HP, Dell, etc etc), and some of them are directly accountable for major screw-ups in this area - while others ship systems preloaded with a free OS, and go the extra mile to verify that you have the means to install your own. Microsoft could give zero fucks about cooperating, but rather than making this an impossible problem to resolve between every individual OEM and every individual distro/OS, they chose to sign a shim, so that everyone can play with everyone. I do not dismiss this as a possible threat vector, but please consider the wider picture.
What I don't understand is why you're hyperfixating on hating Microsoft (which, 13 years in, still haven't made an aggressive move in this area), while Intel[0] puts an entire dedicated core, with its own -completely opaque and unauditable- OS, network interface, and a long track record of security holes, into every CPU they've shipped in the last 15+ years, with no user choice/control over that whatsoever.
> [...] because I need a different level of trust than you.
Do you trust your CPU vendor - Intel? AMD? Apple? Qualcomm? Broadcom? Any other piece of silicon (hint: PCIe) that has unrestricted R/W access to your entire RAM? (Or did you even check if your system has an IOMMU, let alone who made it, how it's configured?)
I'm not dismissing the issue you're hyperfixated on, but the points you're raising are irrelevant in light of much more direct threats. You can't trust the software if you can't trust the hardware.
"Reflections on trusting trust" by Ken Thompson[1] is a 40yro classic, we are a looong way from that even if you dismiss hardware entirely and only consider trivial software-only supply chain attacks[2], and yet all you can see is the source code.
My own need for trustability includes the need to continue trusting my laptop after I've left it unattended for one minute. SecureBoot&co is currently the most practical way to even detect boot chain tampering. Evil Maid[3] has been described 15 years ago - this is centuries in the black hat world, and free software developers (yes - you and me) are the most valuable targets, because of our work's potential far-reaching impact on the community.
If you develop software, and dismiss this class of problems, you become a liability to your users and/or employer - they can no longer trust you.
> And again you conflate software freedom with personal freedom.
I do not conflate them, I recognise software freedom as an aspect of personal freedom - but ultimately it is your own personal choice, which freedoms do you value the most. The vast majority of people using FOSS are anything but interested in compiling their own bootloaders/kernels, because we don't do boot-chain development work and instead we want this part of the OS to be stupid, simple, reliable, and secure, so that we can be free to focus on our actual work.
The "stupid, simple, reliable, and secure" part is the very thing that's missing from the entire Linux ecosystem and why I'm usually a vocal opponent of everything-Poettering, choosing to run OpenBSD where I can - their FDE[4] is orders of magnitude simpler/easier to audit than the bloody mess that is UEFI-shim+GRUB+Linux+initrd+cryptsetup. Again, if you actually cared, you would be advocating for software that is easier to audit. Source code that you can't read/comprehend is no better than a binary blob.
You're free to empty your wallet to the corporation you mentioned, while really it's just pissing into the ocean.
The point I'm making is that software freedom can be hurdled by so-called "security" measures. When a bootloader can reject something you built yourself or a friend on the basis it didn't come from a large corporate software vendor, the computer places more trust in its manufacturer than its owner. This is especially problematic with smartphones and tablets.
There was a time when computers weren't pre-programmed to judge what the user is doing. You could load up any program and it would execute it. You could say this is insecure, but that depends on how you look at the problem. SecureBoot has been proven to be ineffective at securing the boot process, but effective at thwarting attempts to replace MS-Windows with Linux. Apple and Google are even more hostile, with the former openly admitting they isolate their users by calling attempts to bypass their scheme "jailbreaking". It doesn't matter which multi-trillion dollar company is doing it, they're all hostile towards software freedom in my opinion.
Your argument on Intel is just red herring to me. 2 wrongs don't make a right. It's like saying corporate greed is okay because there's always bigger corporate greed out there. Whereas I'm de facto against all moves that hurdle software freedom.
I haven't taken the time to read the documents you linked, but it appears you're making a strong case against supply-chain attacks. For now, I think there's still plenty of room for disagreement much like how computers in military zones can be made deliberately insecure by our petty citizen standards, simply because their threat model is something else entirely.
I don't want blobs because as you allured to, there's a real need to be able to inspect hardware and software for correctness. Any blob that gets in the way of that, I want it gone forever.
Even if you don't do bootloader programming, I think its good practise to build as much as you can yourself. Gentoo happens to be a good fit for this on the GNU/Linux side as you can build everything but also intervene only for those few packages you really want to have fixed a particular way.
> I haven't taken the time to read the documents you linked [...]
Then I also don't have the time to read and address your response. There's no further discussion to be had where one side is no longer willing to display basic courtesy.
Basic courtesy such as being honest? You think you're smart because you can copy and paste a bunch of URLs from a search engine or your bookmarks file?
I didn't even ask for a discussion. I think I've made my point clear by now but feel free to keep being a jerk on the Internet.
The other person is debating, giving you references, not "copy-pasting URLs". It looks to me that you don't bother with counter-arguments and yet repeat the same thing over and over - I don't think you'll convince anyone new like that, and won't learn anything new yourself either.
Thing is, can you send any random person a bunch of documents and expect that said person will read them at your whim? In their spare time? I can't afford to XKCD 386 ;)
That's your personal choice. All I ask is that you don't advocate for narrowing down the personal choice for others.
> I don't care [...]
Yeah, that's the real problem here. When your needs are met, you don't care.