From owner-freebsd-current@freebsd.org Sun Jan 15 02:38:48 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2C08CAE331 for ; Sun, 15 Jan 2017 02:38:48 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0102.outbound.protection.outlook.com [104.47.34.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4A3F01342; Sun, 15 Jan 2017 02:38:47 +0000 (UTC) (envelope-from sjg@juniper.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pxiy4ae9vKjxDMTABP+YsWPrrLrCm+wsE7x3u80oWbI=; b=g9OiHJ8UaqEJ0c2MKW5P9rJqcaVzENtKm4heU8VCAeT74n+63xluAhtcrJVTY9dcc1HOZnSIOk1fJhf1F1XN3+VkORYFolv+CcjQBkCEDdE6UJKLb9W76F6kMOTpm9PMZw63H/TbVcFy8t7ND+ibeN3Kt4LxMF9imXYty7WzV0A= Received: from SN1PR05CA0017.namprd05.prod.outlook.com (10.163.68.155) by MWHPR05MB2944.namprd05.prod.outlook.com (10.168.246.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.6; Sun, 15 Jan 2017 02:38:46 +0000 Received: from BN1AFFO11FD019.protection.gbl (2a01:111:f400:7c10::184) by SN1PR05CA0017.outlook.office365.com (2a01:111:e400:5197::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.6 via Frontend Transport; Sun, 15 Jan 2017 02:38:46 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=none action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BN1AFFO11FD019.mail.protection.outlook.com (10.58.52.79) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.803.8 via Frontend Transport; Sun, 15 Jan 2017 02:38:45 +0000 Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sat, 14 Jan 2017 18:38:37 -0800 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v0F2cbs3015391; Sat, 14 Jan 2017 18:38:37 -0800 (envelope-from sjg@juniper.net) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 9E303385558; Sat, 14 Jan 2017 18:38:37 -0800 (PST) To: Johannes Lundberg CC: , Ed Maste , Subject: Re: Secure Boot In-Reply-To: References: Comments: In-reply-to: Johannes Lundberg message dated "Sat, 14 Jan 2017 12:13:14 -0800." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26162.1484447917.1@kaos.jnpr.net> Date: Sat, 14 Jan 2017 18:38:37 -0800 Message-ID: <26163.1484447917@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.18; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39860400002)(39450400003)(39840400002)(39410400002)(39850400002)(2980300002)(199003)(24454002)(189002)(6916009)(2950100002)(50466002)(92566002)(54906002)(6306002)(55016002)(626004)(107886002)(68736007)(27001)(229853002)(86362001)(46406003)(77096006)(189998001)(47776003)(38730400001)(39060400001)(221733001)(97756001)(9686003)(1411001)(76176999)(3480700004)(50986999)(76506005)(53416004)(4001430100002)(105596002)(50226002)(106466001)(2810700001)(23726003)(2906002)(4326007)(8936002)(81166006)(81156014)(5660300001)(97736004)(117636001)(356003)(7116003)(7126002)(7696004)(110136003)(305945005)(8676002)(69596002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR05MB2944; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD019; 1:3W/O2ZH67qGmNkjw7Sih2oC8YhNSN4Be6H5OTVmDbs+EwzAPl7o/pZgDMlqKwWzwVw2pojuy35I9xx3pzSTijvITnF+FGgkcArhkr467M+ECKjCQLr3AAkzPsCRywmNZYi9bk7pJHVDE2FZrjK34Wnc7rMYYpHeM4inVR7V4vNWHWAmJI0ZVVV0dxsS85nQd0Iga7yiAoIAaeSv3lKF7xPttwhXNGEJsQGtIOG1MaFrObi+p2jhB0SG/eox+CHuzNAZZwgf68E4gIL+TQDv9tM6D3Cy/xnZb0odPWPuhj4B+kSdub10dy6cupPlsRlEtuONj9x7XG8GBYJA5ND1UniOBH4IuTRPOo/nYZnkoHMx23ymKZvI9oqPJUz1F5JLIGLWWZxPW+YsnDdHVPCNonCLLZPMlxSIjpRNYpJH9DQtciGJlee+PyT21RHMEOZ8A4NUcyHqVh7wkYmO1bgdCCnwhANrgf9PzZmcdr1ZPbCyPRlF2hH/UFCqt1ztkthnF4VtIf6UTbDt8Tff9K+ZOBSualrHy0gJoAYiBU5cqnPV9KTCEN+C2KDWFv0I5Nr0K X-MS-Office365-Filtering-Correlation-Id: 23470c9d-63b4-4633-aa2d-08d43cefa084 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:MWHPR05MB2944; X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB2944; 3:AhwDmrc4WxAF4wd8XH7n1W8gOTvfSDgYXN6fMdmewr4E3p4CUGOOpL7w/VoU0DChgxfZhhVzYRRUN6LQ1vdFV+j96FyXBR/o+ks5rrftBt580UieHWdi9bvH9d+jb1xiJcQPrAzUgjjHMkpdHyhtkczfgW4Wq3UZvxmxKzo6QtZdxnlJGKNas8QJB3hx2cn7SipaHW+beCMJXlGXxW0cl7cfBNZijCkQEJ/3a4hw0wiija1+1e6jzqV8Kb6HUnwRsMkkZf6VFGJKKseNa7dyzRK7RiusATcsw447qYHNYuQDuMc7ubhxKlbjBcQH0AvHo3rXgWimfKmwfGUkc+2t3m9CuBDb2qZaZl9qTFYQpSZ13CJy37tTVSYc2D3Yu0Tc; 25:PvGwvgW74lMagPZr0NGJz0mSBFzXlq4fi0MDR5ybgjjEdWOhcw7oliu1nCJuNexM2+o1rOtp8EN+S2R+QeLolG9HwD9Oi8EewBF4Yv/S1q7n6FJtCu1E+/a+iltxsygGBKWdky3oeUJK+9Zc9NmNzmmrP1/K+n7jM1TB4A9E3WgIgap7shzKHiJiTk027vDMTQVLaI4TtOn4ebpolrmLPbHsMi+ZcpAtf8mT4mN7vyL1+7mBXQgKOUIaaMngREg+tuf0E9HzgAg8Ua2hOc9I1f+O1/fPC3wcbDX6GeBq/2KQoPKWq6C0GO/M3vw2/M79fJlmgfvcGBXqQvKCgn6bIqKfMZivoMlBw5jBLK3M3IxmoDgiOZdFITDTa8p1g7HCw2oUnx+Gs9wuV7S3/VtA4Mdsna+Az7SzXq2TXAoiYBzioKcvS6mZwdzoPr08Y4POjvoIBfUzcjqmyWCqROvvcg== X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB2944; 31:Nb96MSrtYdqhk5KMtYp9p165KemEj/SC7Uku7205r86wMQz82AgVmwNZvI1Lmtau98JMqYj4Jtc7Zee9pZvrvS8lxoTF3TPOxL8kTp+y20eY65hZdlvMJs9Mm27GClnIKZWuk5H+5DiSH7+bOIG6BJF1cC+Qivac5MbE1yJQDcayMmpFlD4DC7SXX9IJPX3A0Xq4cRdRJR/Zt8Ot4yggALaMwDz/AERZBngwJdYvEBql6Gi4ZyNNS+nzDH5We+W1AUlNi5mjeqx8phY8VNUzYQ==; 20:cgJ5ZsA4MhNXutFnfcy1JFoUhOPrYwTqwktwgUzD7rUhlS3kEMEXVFrPGb9BH3QOXtqUErCDZntCchYvBt5bSm3aYQ4rvvuGgnAaAJXMNnbB0uFAUJ5nmL15YdM3Re4vx1PREeHyOgU2VMOCWOnS1oTJwHZ45oycdwjb7wEB136cBIVni+HUsUePvBFBp/6tP19aHjm5Q0g/8ZaRlfG/zStNLELO03YYEXwzW6GJOKSsLyqj51w8yUI+T2H9k0lAmYRGsz3Ag9A2cvaAyEMzXABLLidD+vQmZWlTL3I/SVGDdPXO/+6MD7/yiuZnAHMHR1uYAQyzh9PgOHNy5hhEgjPdr4z6Ei+xmPLXgVjZ4VvNktVBGz3aPSBlan26O3zzTku4zHfbLwJhHUjI7avjdjFT0Y0ickni4/I+93b5G4XKb5BzNqvej8lxpFzY0dI4urMOoW2rte8CcA5odu7FkiYsfd7AcCIEgYw4KqNSC+0/eo3MZthPUbwSgAEx6KIJ X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(13023025)(13017025)(13015025)(13024025)(13018025)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(6072148); SRVR:MWHPR05MB2944; BCL:0; PCL:0; RULEID:; SRVR:MWHPR05MB2944; X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB2944; 4:kgdl3yOb95vDmkz5v7rrFDmp+pFmrNf8ru4yeAB07LiW3iXToNcClJMc9OjOsrfX3XNMwUka5BDh02uzO5CVNM4PhZwTU6Vp6Lsda1Vf72Pu7fX7hl4ufCN3jf6fGJyqTF9DKMP5478APgCub3VnZGdLbbjHN7t9l83ElEHSQ3HjvkCMDcMq613IHdDikKP0CFb/Nl84Hof8HL3i9JJgMYfdgDaVhicsA4R3vXqyYDDJ6+FuQAo2O4XhqxMvKYvBtVC6w7HsaCiGA95CuVjQD7iGVTQYoV1nI/+g/R+j3SfE7Yns6M3UW7X6LMvH8PanC6D9qM7WdD0J4ONFa9M5eOPy0a9FuSZLa/HkbYZA98nDEpbSvoKtXdtz+z/4xywh9bQ3wsnL15QPVncijkVLY7aVUADeq5jEg+kZfgRd+PzK0J5rFw2rJ6HY3uEGJeaUDyEphJuIzNrwRNkpe6klwhYy/PX3QnL9dGysdkl02Zzpmy5NUZhBtk7lMc03lD9kBZ21l/e8oa1Wo49ELZl5xkP3txaNrUGZJcQKS6vNwBCEYibeLwoZOHCsLmZaunDmj2CwI9Y3YM0fhQsYJ5GLsuygiGWAr9WrP/+L4VSKG5WJKpKcIf/R5Xc0qBqO0j2M9H9fy7gK2WpZyGuU+mCpcww+Ah8LErojNp4u1rVbO5w3J4Sz3aWTlN64IHH0PuUs X-Forefront-PRVS: 0188D66E61 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR05MB2944; 23:/EVmZ/AFq7noJTIqnnDyyY8JV4z9hLNrCC7AxIqsb?= =?us-ascii?Q?Xhdcib5jAoH74o0tlW6Zg1i8MpdqPB0kX3n6dx3Mw1mZgQZMfXOfO95sxEjS?= =?us-ascii?Q?2otw+He88+6dh0lptwUQA2F1Y/+4mVwKHB7vFcmZPO3sjNzL9TBnMgiTQCCw?= =?us-ascii?Q?ZglOys6l8zsRi2RmvN1MuAzxFozFBHlnxm1IV/q703HyD9vNQnje09GpWa4v?= =?us-ascii?Q?lcS2lrbK3jXmL/JZWFYYftAdzzuW7a6kec4+Xa/janSf+S5oeJpUCQ50NnAc?= =?us-ascii?Q?+mpRi3zlPO3td0KLIvEMhFfCiO2qNJODCy+OHpuDvBxV7jn7qPYVHl7rDRyI?= =?us-ascii?Q?6hUo3DV1kg+Ra7NsMoTfTXMhfA3Mjg6kcII6YrjHUfAZQMmbWVCbjjYY5xHE?= =?us-ascii?Q?RJSFmdqhoJx1eC8XQv9iiMS9N1ggs8XngSE0C4sxEmNpa14Ag2mXMRXy8Zmy?= =?us-ascii?Q?XNWoXNcUM7YfuHmxCuf7InfxG62LYTzfb8kqimRU2KWv6Jx4flfGGPhrPBk2?= =?us-ascii?Q?4GuodN3uHRbxu8OMkK9nOoFSPt+arzn9Lf2WasqS4w6U5AAKBqCFljJ72nmE?= =?us-ascii?Q?3txzge+XhiAR5fHEtkF5JDU2fMaVN6bP7lOwjgjgjjLbGks8tCHRVn4JcJW6?= =?us-ascii?Q?njDeSZDO0vsPGA0qp7ofe8UYdHbjtxKxocgK/ycbYiKt005zezdhcj7W+GWn?= =?us-ascii?Q?ZRpuq/1rG/EIxGF5X2kF+vCIfa9vSD/gPHih0w6h3fqKyub/RqoP3GHh7vVj?= =?us-ascii?Q?1ALrTlddhcsFRf+8zzLj/0H3k1vhwJZbtyxbqXmY/7VZ4uJ5vMFg58jWXxY1?= =?us-ascii?Q?A9tR1cF96VzmoAZy+3y6yI3zFd+tfS2fVmHjxTvj4WLOtnyluRmIZAgRi6RC?= =?us-ascii?Q?M7K6BwkJEgdARlYtwuVNuTMDz3gWsCdHZoabur+KA/ViijclvRIuwrU/IRqh?= =?us-ascii?Q?Ov1jEMB1ioad5CAH3RaxJ54fQHTWMtqudIU26sZdOgZ3dFiZKbil8OYNG7+S?= =?us-ascii?Q?ZIC+iu7C+clNcJFbH0HlasPnZIrEk5XI/EODXnvB9AQAV091tW9hoDAkXiWy?= =?us-ascii?Q?llfRIZUEg2P98Q6DEYW3RRuUXRwZJkrj1U0bmhIr5DUpxakMOgIfXJU2b56l?= =?us-ascii?Q?CI5GFZWHhJppFxUzFln5X91bXpZS5SbrkT7KoHUJrGE6h9B+RMWoZzEXBY5Q?= =?us-ascii?Q?j4evtE3BHHMMIW+75bD7OTq+Vg8yhiHACfKCV2ZrX4P7K3IktPtr8HF/bUIB?= =?us-ascii?Q?JRbmNbs6sIH04UqhF1wz9Mb0FAvzyC0m1E1QsG9H9wM5GtWXgB7ztV1e9vYZ?= =?us-ascii?Q?YBttX7BlfRHKnoRZYR2nGWUEhl81xzLzicOhWb6HlRtrL5Nug1eDY3Ia3G9E?= =?us-ascii?Q?3vkeDQ03pni4icLJ4XWcJbaV/LmYJnagHAX1zfb0COd8+O/4h2hAVLvrXRJG?= =?us-ascii?Q?uVV245NvZoWp5qqaZ+HRenjFfAOFKhc9bYh/twJlWV4c4VnSAmF?= X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB2944; 6:jjL3RoEemMuSrX2UvwO7aqrzdBeCrvQxBTd8W+CnTFj9kTLv+qQD6F8vsorKZbQCRsqn5jFMA86dBBVvPktYE8VtO6AB+zIbUiMvi2cUzacuFMIB2fC+ok6/lM+t1U1VZt91ONCVv7a5hI0QHxVuIW8ljVmZm1R6RiNRWVYv+YAQxBJIwmvF628XdAGo+YIjNC2qopN/FeeNkzIaKC8S6FhSSiGm4oGATsEgdzOVdpvMV6wuVpFkunFDI7WV5cgITL6HqAvNSvuAffbmjEt2Q7H2bR5pQOt8lwF5LMNqDVtfg28nVme25vWLHGZYDso29rpEAo7W9P4waeASRpVZA+Oekded55EMp46m81sMkluYU3dJr/9oSljY3HrfSNPxVLCNR5CoG0AtKXLx1F2WjKc64VZ85kyWL9nj1fFB6KoOBVvlPCqnk+j5uwcJSyJSXTZxvkhwHcoHz+yIQkcjcw==; 5:n2Lk2xBj6tdkuj+axIcfR4qMdn3gPXYDIT/LRjdmKAb0K/rQafz6DNDFfCakGqTLx4kY2bk+WFkSOtZ7pTGjqLEdjImbMDY2via3ofpa2c6JHkEuuYMk/ca6zRbNrM4dIfsUFm4v9GEqBLceB1xQbt65WBKPNLJItlepDjUrh5w=; 24:A7+jSiV+ksVUU4Tfjm1KviNuD/WbrRQsvwiZWk+5a8hLkQF6Jcc2OsQJ/VnEGpFWNmOOO3tmlIlCox5RXIAURNspBlPGPpOBrjyB/YSCMVc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; MWHPR05MB2944; 7:Ru0hm/xq9lOkbiNEIPdzq6CyfqDPpMxe3RTbj/qdjNCWilNBqknrqRl2Z/+v3lumYuqrAcTEWwL+O+bsSNO/IGmzEgG3tV1xjWIl+slDQHqWX+LmDXGCipACwA7w9vJhX+1zuQIbERiO+WnPhVNf1PQCOJ2HrmNxgF8HbcBICZoWmcRR4cSxhF1nf3wt2AiSyWavW5E08k97FUkm3dJobellwdhNBW1e5VRsD+ydo/1oFMlA8w3Y+4/JiTPMTbtJNP40TgIgD/3meohmDxiUJbBE7ylTJdcNFBBLPeJE0gvObmEWucmOqSiZTuCuatTEhCeVP+DojE0eLghrrO7URn2seSSQocuIjeJhew3opU4g6gtO4bRQvb+FYCgMV0lYF7mh+qMV3Em69P4XFD9Hso/e4xgLbhGWirgZ/JtIIlmCI+pHh/wPAn+l/JZC3c0LIoFA4XsPOQx7xhpCPBKo6w== X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2017 02:38:45.0237 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB2944 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2017 02:38:48 -0000 Johannes Lundberg wrote: > https://wiki.freebsd.org/SecureBoot > Interested in this too - though for proprietary systems where we have control over BIOS. The design should hopefully accommodate both. In particular any plan for how the loader would verify kernel and any pre-loaded modules, and kernel verify init. Hopefully allowing for regular update of sining keys.