Date: Wed, 6 Jun 2012 11:17:40 -0500 (CDT) From: Robert Bonomi <bonomi@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, rwmaillists@googlemail.com Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? Message-ID: <201206061617.q56GHeQl031484@mail.r-bonomi.com> In-Reply-To: <20120606150210.1e4e7724@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RW <rwmaillists@googlemail.com> wrote: > On Wed, 6 Jun 2012 07:36:24 -0400 > Jerry wrote: > > > > In any event, it won't belong before some hacker comes up with a way > > to circumvent the entire process anyway, > > It sounds like Fedora already have. They say that they are only going to > sign a thin shim that loads grub. "not exactly." *GRIN* Fedora'a 'thin shim' will be signed, to keep an (always-, or other) enabled 'secure BIOS' loader happy. Fedora will provide an option -- which will remain 'user-settable' (regardless of whether the 'secure BIOS' signature is mandatory -- to either ENFORCE or IGNORE a requirement for valid 'signatures' on the subsequently loaded pieces of the O/S -- 2nd/3rd/etc-stage boot loaders, the kernel itself, any loadable modules, etc. And, Fedora will sign all _Fedora-supplied_ files that meet that criteria. Thus an end-user can run with 'secure boot' fully enabled, with only signed files being loadable as part of the O/S -- using either Fedora-supplied signed files, -or- files that they, themselves, have signed. OR, with BIOS signing required (the 'thin shim' loader) but signing of subsequent files -not- required, OR, (if the hardware manufacturer allows it) with BIOS signing disabled.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206061617.q56GHeQl031484>