From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 12:28:59 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCABE1065670 for ; Wed, 6 Jun 2012 12:28:58 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 67D728FC14 for ; Wed, 6 Jun 2012 12:28:58 +0000 (UTC) Received: by eeke49 with SMTP id e49so2549102eek.13 for ; Wed, 06 Jun 2012 05:28:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=/XlHwq6gxPXqoz5BwK7xQwGUALjO0uhN6aDXvcB5a2o=; b=l49YbHePAu8eADzbzCn9WE5BR0ddVKDqH5w3Ycc3Nujtiap8np4ecLeHTymjtoiuLx pHUNiTY/5+OecXhOgm1BEMVAzdjgh1lt8B4BOQNpCtgsg7tktmPBfxNJjjHgwkCAV8nO RrlnlP4dWs0UnljzG59DS6/Snx5Bd1N1ds1urDluNVzGcKo6MqfRbzc9e6lQoqqWX+Qa lwTXkmOLazx8msIJ4Igb1Rly3WONamH+FXyMX3iwPxraPNzReSK8pkGesXPJJH4lqpnn NRntQ1btIo4/3aE60WI55hHT0AWWyNCgDwoIPUifXuHEMFqlrvfErg6V9X27uu7dh0yb uz2w== Received: by 10.14.100.71 with SMTP id y47mr8672025eef.190.1338985737401; Wed, 06 Jun 2012 05:28:57 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id t3sm5886894eeb.15.2012.06.06.05.28.56 (version=SSLv3 cipher=OTHER); Wed, 06 Jun 2012 05:28:56 -0700 (PDT) Message-ID: <4FCF4D07.4080606@my.gd> Date: Wed, 06 Jun 2012 14:28:55 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20120605203717.5663bdf7.freebsd@edvax.de> <20120605181055.4af65fdb@scorpio> <4FCF0772.8000609@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQmxPtnmSvN19K7XtCQdCFweP2Iuwx8mKONm5Gcy9QyRaIga5Eytr5a7y1xNcKssPq1+f6CO Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 12:28:59 -0000 On 6/6/12 1:19 PM, Daniel Feenberg wrote: > > > On Wed, 6 Jun 2012, Matthew Seaman wrote: > >> On 05/06/2012 23:10, Jerry wrote: >>> I thought this URL also shown >>> above, answered that question. >> >> Signing bootloaders and kernels etc. seems superficially like a good >> idea to me. However, instant reaction is that this is definitely *not* >> something that Microsoft should be in charge of. Some neutral[*] body > ... >> On deeper thought though, the whole idea appears completely unworkable. >> It means that you will not be able to compile your own kernel or >> drivers unless you have access to a signing key. As building your own > > You don't need the signing key if you turn off secure boot in the CMOS. > The fedora folk are worried that naive desktop users will not be able to > do that, and usage of linux will be impeded. It won't be a significant > impediment to users capable of compiling their own kernel. > >> is pretty fundamental to the FreeBSD project, the logical consequence is >> that FreeBSD source should come with a signing key for anyone to use. >> >> Which completely abrogates the whole point of signing >> bootloaders/kernels in the first place: anyone wishing to create malware >> would be able to sign whatever they want using such a key. It's >> DRM-level stupidity all over again. > > I do wonder about that. What incentive does the possesor of a signing > key have to keep it secret? Apple keeps it's signing key secret because > it gets a share of revenue from the sale of apps. If the fedora key > became known it wouldn't hurt fedora. Can the UEFI BIOS consult a list > of revoked keys online? That would be surprising. > > dan feenberg Key revoked in the BIOS' next version, which will ship by default on newer hardware. No need for checking online.