I'd be more worried about firmware manufacturers. They have historically been doing an utterly terrible job at making firmware. With UEFI, they are still doing an utterly terrible job as usual, and they have a few hundred pages of specifications to (decide it's not worth to) read.

Huh, that's good to know. Does it apply worldwide?

That's nothing compared to the BIOS of one oldish device I'm maintaining. It doesn't boot from USB. At all. It's supposed to be able to, but it can't. It attempts to boot, but locks up every time. That, or it causes the system to reboot, effectively putting it in an infinite loop. What joy.

But I *do* have a spindle of blank media - I think there're 30 or so left. The only thing I ever use them for is burning operating system ISOs. A fifty-pack has lasted me about 3 years now.

Seriously Delgarde, you are drawing unwarranted conclusions. Your reasoning seems to be:

WHEREAS:
you (Delgarde) have no blank DVD media, AND
you (Delgarde) would have to go to the store to get some, AND
you (Delgarde) have a USB stick that you substitute for DVD to install Linux;
THEREFORE
nobody uses DVDs to install Linux.

That's just silly reasoning.

I can think of exactly one use for Secure Boot on Linux

Regarding removing MS keys and installing your own

I can see exactly one thing Secure Boot on Linux might be good for: Securing encrypted machines against the "evil maid" boot keylogger attack on the passphrase. That is still vulnerable to any backdoors NSA dropped in the TPM, but it would be another layer of security along with other checks. Probably best for a traveller in an untrusted non-US ally, leaving an encrypted laptop in a hotel room (never safe anyway).

Here's what you would have to do, I haven't coded it as I have never tested it:

1: Remove all Microsoft keys so an attacker can't use them to sign a modified initramfs or kernel. Remember, the FBI surely has MS's private keys!

2: Create and install your own key, but for now stay in unlocked boot.

3: Sign your bootloader and kernel with it, I think that requires custom building at least the kernel!

4: Replace update-initramfs with a script that calls a renamed update-initramfs and signs it with your key

5: Install your special kernel and bootloader and make the initramfs

6: Reboot, go into UEFI, activate secure boot.

Now any screwup on your part will require going back to UEFI to disable secure boot, and that would make any replacement of the initramfs or kernel with a keylogging version damned hard. Any offical attacker will probably use Microsoft's keys to sign their shit-and the firmware will reject it, unless there is another backdoor for THAT purpose.

I don't do this, as it transfers trust to the firmware and to the TPM. You have to trust that Microsoft's key is really gone, that the firmware doesn't have a secret master key like the one hard drives have for the ATA Security Set commands, etc. Turn off Secure Boot, put /boot on a flash drive at this level. Would be different if I could use Coreboot with a TPM I made myself, but we are a long way from THAT!

My Windows 7 Professional x64 goes from bootloader (LILO) to usable desktop (hard disk i/o stopped) in less than 20 seconds. I just use it for games, so probably within the next 10 seconds I'm full screen gaming. I don't run any shit though... and myself personally I don't use any security software etc.

No Windows 7 computer takes minutes to boot up on my watch (I do this shit for a living, by the way). Not even Atom based netbooks. (maybe 1 minute with Windows 7 Starter Edition)

15 seconds on my gentoo machine using systemd (and in that time I have to type in my password, too). + around 10 seconds for the BIOS makes around 25 seconds to boot from power button to usable desktop. I could tune this even more, but why do I need such a fast booting machine?

LILO is not official bootloader. Security software is prescribed requirement by microsoft itself.

My machine takes 5 seconds to resume from hibernation to debian desktop. The hibernation is tuxonice, so machine can be completely powered off from mains. Its an old pentium 4 with opensource drivers and green hard drive.

Good point. And, as someone above pointed out, that fast boot just pushes all the not-basic hardware initialization to the OS.

I remember XP where it gave me a logon screen very quickly indeed, but the screen would not respond until Windows had finished all the other crap it was doing on boot.

So really I think fast boot is marketing, nothing more.

FWIW, from power on to Openbox desktop, I am waiting about 25 sec also. Doesn't bother me much.

Are you sure you need to use UEFI to be able to use GPT?

That's very nice but what does hibernation have to do with crypto-protected boot?