From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 20:13:47 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22641106566C for ; Wed, 6 Jun 2012 20:13:47 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id A61F88FC1C for ; Wed, 6 Jun 2012 20:13:46 +0000 (UTC) Received: by werg1 with SMTP id g1so5836189wer.13 for ; Wed, 06 Jun 2012 13:13:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=VzuFX6OCKJ6qoqeskn4Oc6z2EidyCeFUtV8i/vR+gtM=; b=ntoquO2etgcRRZG3vhpAbS9er7c6vVaJeX0fgTJVf2JxA6SpRGCJjmhO5erx28ITE2 jRKkRsfB34Rz1oRIR8X4saqG1yMnDLB1i9rQKcyJCIs/L42aipcsm+dwsDjthkUhULAv ZJ3M6DRiopd94BdgrH3Wx9m0s9nCrthEY1iq8bssCGUI14PMBU7QUFa3qW+S2h22vPLT vj+UpJB5tcpH8GDFli7J+wSKMsSEWWTMP1f4Kz1xyBhZO0EIQbvU/EEAOT9mfApBrH7C sNJH4O/99D8ReuvvvivChcqkfmOCetDzkbHFsXp6HbtBqx1BhdKnxkbTtbI9Oyh8pXIt +ZZg== MIME-Version: 1.0 Received: by 10.216.27.199 with SMTP id e49mr17922361wea.45.1339013625540; Wed, 06 Jun 2012 13:13:45 -0700 (PDT) Received: by 10.180.84.39 with HTTP; Wed, 6 Jun 2012 13:13:45 -0700 (PDT) Date: Wed, 6 Jun 2012 16:13:45 -0400 Message-ID: From: grarpamp To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: UEFI Secure Boot Specs - And some sanity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 20:13:47 -0000 Isn't there a lot of needless handwaving going on when the spec is pretty clear that installing your own complete PKI tree will all boil down to what is effectively a jumper on the motherboard? First, some sanity... Users could fully utilize the UEFI Secure Boot hardware by say: - Using openssl to generate their keys - Jumper the board, burn it into the BIOS in UEFI SB SetupMode - Have all the MBR, slice, partition, installkernel, etc tools install and manage the signed disk/loader/kernel/module bits - Have the BIOS check sigs on whatever first comes off the media I don't see that the user will actually NOT be able to do this on anything but 'designed for windows only' ARM systems. Seeing how open Android/Linux is firmly in that space, this will just devalue the non open windows product. There have been 25 years of generic mass produced motherboards. And 25 years of open source OS commits to utilize them. That is not changing anytime soon. Non generic attempts fail. Even corporate kings Dell and HP know they would be foolish to sell motherboards that will not allow their buyers to swap out the PK keys... because they know their buyers run more than just windows and that they need various security models. And if they really were that dumb, there's Gigabyte, Asus, Msi, Supermicro, Biostar, etc who will not be so dumb and will soak up all the remaining sales gravy. The masses have seen and now want openness, open systems, sharing. The old models are but speed bumps on their own way out the door. Though it seems a non issue to me, if you want to protest, protest for 'Setup Mode'. And not here on this list, but to the hardware makers. We should want to use this PKI in our systems. Not disable it. Not pay $100 to terminate the PKI chain early. Not pay $100 to lock us into unmodifiable releases (aka: BSD corporate version). I look forward to seeing the UEFI SB PK SetupMode AMD and Intel generic motherboard list :) On to facts... http://www.uefi.org/ Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface https://en.wikipedia.org/wiki/Unified_EFI_Forum http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot http://mjg59.dreamwidth.org/12368.html http://mjg59.livejournal.com/ https://www.tianocore.org/ http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584