From owner-freebsd-questions@FreeBSD.ORG Tue Jul 9 01:04:08 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8973130F for ; Tue, 9 Jul 2013 01:04:08 +0000 (UTC) (envelope-from mike.jeays@rogers.com) Received: from nm11-vm3.access.bullet.mail.gq1.yahoo.com (nm11-vm3.access.bullet.mail.gq1.yahoo.com [216.39.63.69]) by mx1.freebsd.org (Postfix) with ESMTP id 60A681A03 for ; Tue, 9 Jul 2013 01:04:08 +0000 (UTC) Received: from [216.39.60.170] by nm11.access.bullet.mail.gq1.yahoo.com with NNFMP; 09 Jul 2013 01:00:53 -0000 Received: from [67.195.22.106] by tm6.access.bullet.mail.gq1.yahoo.com with NNFMP; 09 Jul 2013 01:00:53 -0000 Received: from [127.0.0.1] by smtp102.rog.mail.gq1.yahoo.com with NNFMP; 09 Jul 2013 01:00:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com; s=s1024; t=1373331653; bh=LZhEOpqPb9tOtONLyH+NZfnMvPROVsFo4KwKTT9I8vA=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding; b=1nk1W7c6UeC3meO3680r5MO2XqOlmywYRvfgC1q9wDyWqOiu43i8rVqTSvWgTwUjxvEUWJMKRR7swigI65MwKuUOt0CITxFlC+RYOEiyddUdxubdRa2/hoE/FbDkrnp+2piVOv9Uwh5YpPJTUmnW9Fm5lOS9ZpvgjDBVYMK8HHw= X-Yahoo-Newman-Id: 199608.57012.bm@smtp102.rog.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: QSVBJHYVM1mSLM8anXeLFlChPEWYRdZQsMfA3ttYiOLW8nt iXVXQf.FTkaEEMot9C0XE7KhEp6tPyHlYCQmYKSfOROcGmbZEGYDrd4KvFLK x_LCcTI.MS9HsM8R9fEFvQ8o9f9lt8zPQKG1IE6j1aZCllU.QtiRJjrhz3Np 3vh9UY3DegQUw_XdfQY5KEyq.q9bypE8RC.fZiw356NDSodcNYtFSctf9mEX 4MBa3.hXI7ft5KLP4pR0IkYfza4IvWN5Y2Chh8prg4Ek9BstvW4C6yp6DgUY sSe7leZqo61dZw6IIf_pkrqNl4t.9PwzCH_QUIOEKgOV.WqLPZe7Ud2.NJ0n WBQx2hbgHRpnIum2450mfEyz9eJgTTe.u2jduji79qFIdlwlYvjPXJ96aMPH AJKsIo9EEuNY3wQjKNoYgoOEemErj8r7pUIxJqijKaGXsWF3dQjpZ2Y._g1X GGRcmsdbxllieO6FQ0NqhZM_HUAx999NyqDmFnVSYnumJGAg0NdlS139WETY Zy1hd8o6dLTRxILUbyWKyOH1ZWVgLtVB9GpyfMgxv7vmi9KIzSn19FrDwfg- - X-Yahoo-SMTP: N82WFx6swBBjwcHWPFR2CGt6udzA8RPrA.xm0enFFXaK2g-- X-Rocket-Received: from europa (mike.jeays@173.33.93.170 with login) by smtp102.rog.mail.gq1.yahoo.com with SMTP; 09 Jul 2013 01:00:53 +0000 UTC Date: Mon, 8 Jul 2013 21:00:51 -0400 From: Mike Jeays To: freebsd-questions@freebsd.org Subject: Re: UEFI Secure Boot Message-ID: <20130708210051.1edc028e@europa> In-Reply-To: <20130709023140.9c7c4f40.freebsd@edvax.de> References: <20130709023140.9c7c4f40.freebsd@edvax.de> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.13; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Polytropon X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 01:04:08 -0000 On Tue, 9 Jul 2013 02:31:40 +0200 Polytropon wrote: > On Mon, 8 Jul 2013 16:21:28 +0000 (UTC), jb wrote: > > I hope FreeBSD (and other OSs) luminaries, devs and users will find a way not > > to harm themselves. > > A massive problem I (personally) have is that with Restricted Boot > (this is what "Secure Boot" basically is) you are no longer able > to _ignore_ MICROS~1 and their products. A restrictive boot loader > mechanism that requires signed and confirmed keys, handled by a > major offender of free decisions and a healthy market - no thanks. > What prevents MICROS~1 from revoking keys of a possible competitor? > Or from messing with the specs just that things start breaking? > > Don't get me wrong: I don't even argument that a mechanism where > a competitor requires you to pay money to run _your_ software > instead of _their_ software sounds horribly wrong. This approach > will introduce a philosophical or even legal context to the > technical problem. > > I see interesting chances in UEFI per se. It can be called a kind > of "micro-OS" which can be rich on features that could also be > useful. But history has shown that if such an infrastructure is > provided, it will lead to bloated, insecure and incompatible > implementations quickly, and the worst, it will happen at a very > low level. This is simly dangerous. > > Regarding UEFI + Restricted Boot: To obtain MICROS~1's sticker of > approval for hardware, vendors need to implement those features. > Even worse, on _specific_ platforms, they are not allowed to make > it possible to _remove_ those features, so "on by default" is > required - if I remember correctly (Intel vs. ARM architectures). > > As you see, I try to ignore this whole topic as I am not interested > in using it. In the past, this has been possible. When building a > new system, buying a blank disk and _no_ "Windows" was particularly > easy. For systems that already came with some "Windows" preinstalled, > simply deleting the partition was a solution; install FreeBSD boot > mechanism, initialize disk, and be done. No more dealing with what > MICROS~1 seems to insist is "normal". When _their_ product decisions > make _me_ invest time to find a way to remove and ignore them, I > feel offended. > > I would like to see a way UEFI hardware, with or without Restricted > Boot, can be used with FreeBSD _without_ involving the "good will" > of MICROS~1. But as they have already gotten their fingers everywhere, > this doesn't seem to happen all too soon... :-( > > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" If I have understood correctly, it is quite easy to disable secure boot on most current machines; it is just an option in the UEFI setup. The real danger is machines where it cannot be disabled. This includes some recent HP machines; whether by design or incompetence I cannot say. These are the real danger to non-Microsoft operating systems, and the free software movement needs to fight tooth and nail against them. I can all too easily see them proliferating in the marketplace, perhaps secretly 'encouraged' by Microsoft.