From owner-freebsd-questions@FreeBSD.ORG Tue Jul 9 01:48:00 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B15F6FC9 for ; Tue, 9 Jul 2013 01:48:00 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 72E471BFC for ; Tue, 9 Jul 2013 01:48:00 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UwN26-0000Rd-QZ for freebsd-questions@freebsd.org; Tue, 09 Jul 2013 03:47:58 +0200 Received: from 79-139-19-75.prenet.pl ([79.139.19.75]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 09 Jul 2013 03:47:58 +0200 Received: from jb.1234abcd by 79-139-19-75.prenet.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 09 Jul 2013 03:47:58 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: jb Subject: Re: UEFI Secure Boot Date: Tue, 9 Jul 2013 01:47:43 +0000 (UTC) Lines: 44 Message-ID: References: <20130709023140.9c7c4f40.freebsd@edvax.de> <20130708210051.1edc028e@europa> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 79.139.19.75 (Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 01:48:00 -0000 Mike Jeays rogers.com> writes: > > On Tue, 9 Jul 2013 02:31:40 +0200 > Polytropon edvax.de> wrote: > > > On Mon, 8 Jul 2013 16:21:28 +0000 (UTC), jb wrote: > > > I hope FreeBSD (and other OSs) luminaries, devs and users will find > > > a way not to harm themselves. > > > > A massive problem I (personally) have is that with Restricted Boot > > (this is what "Secure Boot" basically is) you are no longer able > > to _ignore_ MICROS~1 and their products. A restrictive boot loader > > mechanism that requires signed and confirmed keys, handled by a > > major offender of free decisions and a healthy market - no thanks. > > What prevents MICROS~1 from revoking keys of a possible competitor? > > Or from messing with the specs just that things start breaking? > > ... > If I have understood correctly, it is quite easy to disable secure boot on > most current machines; it is just an option in the UEFI setup. > > The real danger is machines where it cannot be disabled. This includes > some recent HP machines; whether by design or incompetence I cannot say. As readers on distrowatch.com put it regarding Secure Boot: "Secure Boot can be turned off completely or, custom mode entered and other keys added if so desired thus avoiding the need to deal with Microsoft. Although it does add extra steps to installing a Linux or BSD system it's not that difficult to deal with and Secure Boot is part of the UEFI specifications, not Microsoft's." "In some cases Secure Boot CANNOT be turned off completely, and in other cases Secure Boot may be desired. In theses cases, an independent authority should be signing the key, NOT Microsoft. We shouldn't have to forgo the use of Secure Boot to avoid dealing with Microsoft. "It deeply disturbs me that Linux and BSD projects must grovel before Microsoft to get their key signed to be allowed to install their OS. Why should MS have such power? There should be an independent entity to handle this." jb