[PATCH v1 12/12] manual: Add section about using GNU Boot.

[Denis 'GNUtoo' Carikli]

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
 manual/gnuboot.texi | 98 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 97 insertions(+), 1 deletion(-)

diff --git a/manual/gnuboot.texi b/manual/gnuboot.texi
index 21bb1c5..3bb937c 100644
--- a/manual/gnuboot.texi
+++ b/manual/gnuboot.texi
@@ -53,6 +53,7 @@ This manual is for GNU Boot version @value{VERSION}.
 @menu
 * Overview::                                   General purpose and information.
 * Supported hardware and configurations::
+* Using GNU Boot::
 * Building GNU Boot from source::
 * Helping GNU Boot::                           How to contribute to GNU Boot
 * GNU Free Documentation License::             Copying and sharing this 
documentation.
@@ -626,7 +627,9 @@ ftp.gnu.org/gnu/gnuboot/).
 
 But depending on your threat model, it could be a good idea to build
 GNU Boot from source yourself instead, to avoid certain security
-attacks.
+attacks. See the @pxref{Security features} section for more context
+with security and threat models and @pxref{Building GNU Boot from
+source} for more details about the security attacks mentioned above.
 
 Once GNU Boot is downloaded or built, you will need to understand
 which files you need to install or upgrade. See the @pxref{Supported
@@ -642,6 +645,99 @@ instructions can be found in the GNU Boot website. We need 
help to
 migrate these instructions in the manual and make them easier to
 understand.
 
+@node Using GNU Boot
+@chapter Using GNU Boot
+
+@node Using GNU Boot with QEMU
+@section Using GNU Boot with QEMU
+
+The GNU Boot project also release images for QEMU.
+
+If you just want to try an image to see how it looks like you can use
+the following command:
+
+@example
+qemu-system-x86_64 -M pc \
+-bios grub_qemu-pc_2mb_corebootfb_usqwerty.rom
+@end example
+
+Here you need to replace
+@emph{grub_qemu-pc_2mb_corebootfb_usqwerty.rom} by the
+path to the image you want to try.
+
+For a more complete example, you can look in the GNU Boot source code
+as GNU Boot uses QEMU to run some automatic tests that boots Trisquel
+11 (aramo).
+
+Also note that the GNU Boot images for QEMU can be useful in some
+situations, but it doesn't fully replace tests run on real computers.
+
+For instance a distribution or operating system might work on QEMU but
+not work on real hardware due to an incomplete graphic driver for the
+real hardware GPU.
+
+@node Security features
+@section Security features
+
+Note that security is a process. To really make it work you need to
+understand various threats and how to respond to them (this is called
+@dfn{threat modelling}), so what security feature to use or not to use
+depends on your life, use cases, etc.
+
+Also note that in general some security features also have downsides,
+such as making it harder to use the computer, making it harder to fix
+issues, etc, so not everybody might want these security features.
+
+As for security features typically found in other @dfn{boot software},
+some computers vendor sell computers with what they call @dfn{secure
+boot}. When it cannot be turned off, it becomes an anti-feature and
+the @uref{https://www.fsf.org/,Free Software Foundation} calls it
+@dfn{restricted boot}.
+
+In 2012, the @uref{https://www.fsf.org/,Free Software Foundation}
+wrote
+@uref{https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/campaigns/secure-boot-vs-restricted-boot/whitepaper.pdf,a
+whitepaper}, on the topic and advised that:
+
+@verbatim
+The best solution currently available for operating system distributions
+includes:
+1. fully supporting user-generated keys, including providing tools and full
+documentation for booting and installing both modified and official
+versions of the distribution using this method;
+2. using a GPLv3-covered bootloader to help protect users against the
+dangers of Restricted Boot;
+3. avoiding requiring or encouraging users to trust Microsoft or any com-
+pany which makes proprietary software; and
+4. joining the FSF and the broader free software movement in pressuring
+computer distributors to facilitate easy and independent installation of
+free software operating systems on any computer.
+@end verbatim
+
+GNU Boot supports various security mechanism: GRUB is a GPLv3-covered
+bootloader that GNU Boot reuses, and it supports user-generated keys
+or other security mechanism that that don't require any signing
+keys.
+
+GNU Boot also obviously doesn't Trust keys from companies that make
+proprietary software.
+
+At the end when used correctly, the security features provided by GNU
+boot thanks to the software it reuses (like GRUB) can provide similar
+or stronger security guarantees than the UEFI secure boot with
+different security features that you may or may not want want to use
+depending on your threat model.
+
+The GNU Boot Website contains various information on how to use such
+security features, but they are also documented in the
+@pxref{,,,grub,GNU GRUB manual} as well in more details. Since the
+GRUB version GNU Boot uses might be older than the online GRUB manual,
+you can use Guix to install the manual of older GRUB versions (see the
+@pxref{,,,guix,GNU Guix reference manual} for more details).
+
+All the security mechanism described in the GRUB manual or GNU Boot
+website are compatible with users freedom.
+
 @node Building GNU Boot from source
 @chapter Building GNU Boot from source
 
-- 
2.46.0