Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Jun 2012 11:17:40 -0500 (CDT)
From:      Robert Bonomi <bonomi@mail.r-bonomi.com>
To:        freebsd-questions@freebsd.org, rwmaillists@googlemail.com
Subject:   Re: Is this something we (as consumers of FreeBSD) need to be aware of?
Message-ID:  <201206061617.q56GHeQl031484@mail.r-bonomi.com>
In-Reply-To: <20120606150210.1e4e7724@gumby.homeunix.com>

next in thread | previous in thread | raw e-mail | index | archive | help

RW <rwmaillists@googlemail.com> wrote:
> On Wed, 6 Jun 2012 07:36:24 -0400 > Jerry wrote:
>
>
> > In any event, it won't belong before some hacker comes up with a way
> > to circumvent the entire process anyway,
>
> It sounds like Fedora already have. They say that they are only going to
> sign a thin shim that loads grub.

"not exactly."  *GRIN*

Fedora'a 'thin shim' will be signed, to keep an (always-, or other) enabled
'secure BIOS' loader happy.

Fedora will provide an option -- which will remain 'user-settable' (regardless
of whether the 'secure BIOS' signature is mandatory -- to either ENFORCE or
IGNORE a requirement for valid 'signatures' on the subsequently loaded pieces
of the O/S -- 2nd/3rd/etc-stage boot loaders, the kernel itself, any loadable
modules, etc.   And, Fedora will sign all _Fedora-supplied_ files that meet
that criteria.  Thus an end-user can run with 'secure boot' fully enabled,
with only signed files being loadable as part of the O/S -- using either
Fedora-supplied signed files, -or- files that they, themselves, have signed.
OR, with BIOS signing required (the 'thin shim' loader) but signing of
subsequent files -not- required, OR, (if the hardware manufacturer allows it)
with BIOS signing disabled.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206061617.q56GHeQl031484>