From owner-freebsd-questions@FreeBSD.ORG Thu Jun 14 15:32:22 2012 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FE9B1065670 for ; Thu, 14 Jun 2012 15:32:22 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 1D7B98FC08 for ; Thu, 14 Jun 2012 15:32:21 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBFBA5.dip.t-dialin.net [217.251.251.165]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id q5EFWEkA097910; Thu, 14 Jun 2012 15:32:14 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id q5EFW2FR061106; Thu, 14 Jun 2012 17:32:02 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id q5EFVnt4085652; Thu, 14 Jun 2012 17:31:56 +0200 (CEST) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201206141531.q5EFVnt4085652@fire.js.berklix.net> To: "C. P. Ghost" From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 14 Jun 2012 09:51:46 +0200." Date: Thu, 14 Jun 2012 17:31:49 +0200 Sender: jhs@berklix.com Cc: FreeBSD Questions Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 15:32:22 -0000 Hi, Reference: > From: "C. P. Ghost" > Date: Thu, 14 Jun 2012 09:51:46 +0200 > Message-id: "C. P. Ghost" wrote: > On Tue, Jun 5, 2012 at 8:19 PM, Kurt Buff wrote: > > UEFI considerations drive Fedora to pay MSFT to sign their kernel binaries > > http://cwonline.computerworld.com/t/8035515/1292406/565573/0/ > > > > This would seem to make compiling from source difficult. > > > > Kurt > > I'm not sure I understand the issue, but this is my take on it > so far: > > 1. What's preventing the makers of boot loaders like GRUB (which can > also boot FreeBSD) from getting a certificate ONCE? And if they have > one, what's preventing them from loading ANY kernel at all? If you read Fedora's page they were planning to tighten their boot sequence to then only boot their approved binary kernels. Not that others ( eg us) would have to, presumably we could leave it wide open (aside of terms of purchase see discussion earlier in thread), (aside of risk of key revocation on some hardware manufacturers) Risk of key revocation later If hardware manufacturer ships new bios or uefi, or user upgrades to new UEFI (eg I as a user must upgrade a uefi soon as a laptop overheats). + if MS get away with this intrusion, next they'll consider requiring a "Call Home" demon (that could also run on *UX, I guess they'd be pleased to provide source free of charge for that next stage entrapment ! ;-) that all PC users must run periodicaly, to update UEFI table with new revised list of authorised keys. > It is only > the first stage boot loader that needs to be signed, or not? Far as I've read, yes. I wasn't sure about AMD so I looked here: /usr/ports/sysutils/grub/Makefile ONLY_FOR_ARCHS= i386 http://www.gnu.org/software/grub/grub-faq.html (Re Grub 2) The current release is working on Intel/AMD PCs, OpenFirmware-based PowerPC machines (PowerMac and Pegasos), EFI-based PC (IntelMac) and coreboot (formerly, LinuxBIOS), and is being ported to UltraSparc. > 2. What's preventing anyone of us in the EU from stepping up > efforts with the EU Commission and the EU Parliament to stop > Microsoft from monopolizing the ARM (and later x86) platforms, > i.e. by becoming the only gatekeepers? After all, EU sovereign > states and their economies can't depend on a US corporation > having a global kill switch to their whole infrastructure. We're not > just talking about Windows dominance here, but a lot more: > dominance on the whole hardware segment. I'm pretty sure this > scheme is highly anti-competitive, and I guess it runs afoul of a lot > of already existing EU regulations. I think we will need to contact the EU, hence assembling URLs first: http://berklix.org/uefi/ Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/