From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 10:24:52 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F84C1065672 for ; Wed, 6 Jun 2012 10:24:52 +0000 (UTC) (envelope-from jerry@seibercom.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id B932E8FC0C for ; Wed, 6 Jun 2012 10:24:51 +0000 (UTC) Received: by ggnm2 with SMTP id m2so5683795ggn.13 for ; Wed, 06 Jun 2012 03:24:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seibercom.net; s=google; h=date:from:to:subject:message-id:in-reply-to:references:reply-to :organization:x-mailer:face:mime-version:content-type; bh=IMoBkliU/rWJkjRS1CFDsArheelwmKnCIn+6frBEUj0=; b=LT+M1lLC6JmetvVuwRN7pcjnWezVf/aLm0UuUJa/3IWa9WpiUphizYPFbSOqLTP7KV ho8jEgYPWsKoA5sAo1rpeSRY3SW7QwusSV5yMvUHgcro0LIKkD7K8z52O/FLZyWmic5z 65TzLSlEjx64hy3vTPqn1SugjkYkycfbb/CNs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:reply-to :organization:x-mailer:face:mime-version:content-type :x-gm-message-state; bh=IMoBkliU/rWJkjRS1CFDsArheelwmKnCIn+6frBEUj0=; b=oksY5hNNWZfBDwmfBgi84BowcAm5u22OkhePLB7Ldxvgmj/QJLNQ0fcUWg7jfSjas1 n7aJEXqCCnVTwss3Xlrv48P9uJFj2jpHKu4uVm2I+W9/7bOaJOut8uKFjis1OpDZROiF 1Pu0wYpF8KyozJ8wCfMQcjRYZqwh7oapFs++OIpxJQk5BKEVQrHTADCrsT2dIIN7PIEg Ny+4TkmolS4FMoBjjjtLQiuH6lkW/3C7Mw+Rm5j2+lnUWn8lFZ3Gai6SiGuqZI1s0udU K+SipRDDnQtVMFQc1TJDJoZ1GHmNb2rsPVtpAxWnABc7ID54qOmcaNVGL2kmq+MEb8jA k9yQ== Received: by 10.236.115.163 with SMTP id e23mr15231095yhh.95.1338978291163; Wed, 06 Jun 2012 03:24:51 -0700 (PDT) Received: from scorpio.seibercom.net (cpe-076-182-104-150.nc.res.rr.com. [76.182.104.150]) by mx.google.com with ESMTPS id g66sm4635304yhf.15.2012.06.06.03.24.49 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 06 Jun 2012 03:24:50 -0700 (PDT) Received: from scorpio (localhost [127.0.0.1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jerry@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 3W6mGR6WyYz2CG4D for ; Wed, 6 Jun 2012 06:24:47 -0400 (EDT) Date: Wed, 6 Jun 2012 06:24:37 -0400 From: Jerry To: FreeBSD Message-ID: <20120606062437.41f48a9e@scorpio> In-Reply-To: <4FCF2521.6090006@FreeBSD.org> References: <20120605203717.5663bdf7.freebsd@edvax.de> <20120605181055.4af65fdb@scorpio> <4FCF0772.8000609@FreeBSD.org> <4FCF1891.9020006@cran.org.uk> <4FCF2521.6090006@FreeBSD.org> Organization: seibercom.net X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAHlBMVEUAAABYRlwJCw4FAgAIBwKprDkBAQFQLR0BAgCir7VRttp8AAACAUlEQVQ4jZWUTYvbMBCGTVl8V2hX6Gg5G5FbWQdBj0lEfE7BhN4cyzi5Wt1E5L70roWy6N92xok/skkP+5IYrMcz78xIduDWpNM3vFzuA/jX5EY1AI6KHFwW/CzFuQAwqUBbV12p+CzIh6Awq7sg33pn5D64SQXAexffeuQlA/L35RrkaB551OjGfP/cAO8mCNaDcgvfky5ijoD0pAXlCQCnljiAjsJD9Ax05Ko5sZxbnLQcmM+dZg5IjREfZrWIHK0JuwU68pAGwHvfRxBundRzTxxz3r9dNUikPsEihjz2Dc4kjp1hKsJGuot4EDxaxzMoC7XqhxhOSfZrTS6gSX1JVdjp+o1PvWfekXgw3WL0g70nDEwA0H0HQsEZc8sTmFMTkWUfYWC/vdR1zQy3xLQgLwzu90QnlnFLjeiGWBjwhb4Sa42IqOg2qqS4O1/zhKokFUb1Q8Rj4Eb69WVflXEehJ35DgChVTE5n50eaGyMLOfH8AOodoSM4PVYAQgQdBulOa+knklYks3vAuQ+uX492lTl+A+e8qBV2AKoXalVKFfyuUp0pUp1ARaUHh82lv9MN+Ig7CZtgE6FNYvjlywT2VP2dMgOG46gTIWcqdfvuwyXNz0oMJNd/N5lh1YNiJt19ADTUo3VuFSNeQwVqRSrGjSCp53fk2g+Mvfk/gfoPxHeUS8MH9vRAAAAAElFTkSuQmCC Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/u4TyT_XnOlRfOgzcMy2iMKz"; protocol="application/pgp-signature" X-Gm-Message-State: ALoCoQnR3uxJkvlwXzupWoFnUgv/Hh+l2yAlkZN2/aC/aDC6+Ww6mYZ96bET92vsbwGCY2td6CF2 Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: FreeBSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 10:24:52 -0000 --Sig_/u4TyT_XnOlRfOgzcMy2iMKz Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, 06 Jun 2012 10:38:41 +0100 Matthew Seaman articulated: >On 06/06/2012 09:45, Bruce Cran wrote: >> On 06/06/2012 08:32, Matthew Seaman wrote: >>> On deeper thought though, the whole idea appears completely >>> unworkable. It means that you will not be able to compile your own >>> kernel or drivers unless you have access to a signing key. As >>> building your own is pretty fundamental to the FreeBSD project, the >>> logical consequence is that FreeBSD source should come with a >>> signing key for anyone to use. > >> It just means that anyone wishing to run their own kernels would >> either need to disable secure boot, or purchase/create their own >> certificate and install it. > >Indeed. However disabling secure boot is apparently: > > * too difficult for users of Fedora > > * not possible on all platforms (arm based tablets especially) > >and purchasing your own certificate currently means paying $99 to >Microsoft, or else getting a key from the hardware manufacturer (which >I very much suspect will not be free either). I think you are in error there Matthew. From what I have read The $99 goes to Verisign, not Microsoft - further once paid you can sign as many binaries as you want. >While I would expect the typical FreeBSD user to be quite capable of >disabling secure boot, I know that this is something that will result >in realms of questions by new users, alarmist claims that "FreeBSD is >not secure" and general glee amongst the "FreeBSD is dying" crowd. > >This is just another misconceived DRM scheme and suffers from all the >same old flaws. I don't feel this is misconceived at all. Again, from what I have read, most non-Microsoft operating systems have been able to use UEFI Secure Boot for nearly eight years; however, they have actively refused to do so. However, now Microsoft has stepped up to the plate and is actively taking advantage of the scheme. Actually, Microsoft has been issuing warnings for ten years when a user would attempt to install unsigned drivers. Now the FOSS community is getting its knickers in a knot. They should have taken this into account a long time ago. In any case, we are talking $99 dollars total, not per user here for the certificate. If that is going to cause a problem, I'll donate the $99. In any case, the real problem appears to be how FreeBSD is going to handle drivers which apparently will need to be signed since they work at the kernel level. Apparently Fedora has a working solution for that all ready. --=20 Jerry =E2=99=94 Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________ --Sig_/u4TyT_XnOlRfOgzcMy2iMKz Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBAgAGBQJPzy/vAAoJEF2rWD2do7dNzlcH/i63zCu7cxfLV2yuifTwdZ9Q rIjglwHfcxYzssiYIwAEzEqcmnKsn9qaRZYfnWR6h7jD8N0bPcVssU997Vh19CDx fCNikboXXFpva6kMRYLZFHyKczUU9eyRkqBiJ0H4nsz+w35kFugve0wdzodMoha/ ifsrHwTp/DyzV1LhCSnnag+HsfF5C6REualrNdS5ymGYV0izvynD6hAqpGaBwVMn KMYDdZ9koNzpRx8momK9SE067fEj4yjx2ayrL/INMQ9jjqQoYpuGCmkiiH5Fl7/B Nc5HgIcTXNpSr5yC+5ePjagQpGSYgzadfKBZyV30o7WAPyELB0sLWP8jSBfjvS8= =nZT9 -----END PGP SIGNATURE----- --Sig_/u4TyT_XnOlRfOgzcMy2iMKz--