From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 16:17:14 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 86D031065676 for ; Wed, 6 Jun 2012 16:17:14 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id 3F1B88FC15 for ; Wed, 6 Jun 2012 16:17:14 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id q56GHeQl031484; Wed, 6 Jun 2012 11:17:40 -0500 (CDT) Date: Wed, 6 Jun 2012 11:17:40 -0500 (CDT) From: Robert Bonomi Message-Id: <201206061617.q56GHeQl031484@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, rwmaillists@googlemail.com In-Reply-To: <20120606150210.1e4e7724@gumby.homeunix.com> Cc: Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 16:17:14 -0000 RW wrote: > On Wed, 6 Jun 2012 07:36:24 -0400 > Jerry wrote: > > > > In any event, it won't belong before some hacker comes up with a way > > to circumvent the entire process anyway, > > It sounds like Fedora already have. They say that they are only going to > sign a thin shim that loads grub. "not exactly." *GRIN* Fedora'a 'thin shim' will be signed, to keep an (always-, or other) enabled 'secure BIOS' loader happy. Fedora will provide an option -- which will remain 'user-settable' (regardless of whether the 'secure BIOS' signature is mandatory -- to either ENFORCE or IGNORE a requirement for valid 'signatures' on the subsequently loaded pieces of the O/S -- 2nd/3rd/etc-stage boot loaders, the kernel itself, any loadable modules, etc. And, Fedora will sign all _Fedora-supplied_ files that meet that criteria. Thus an end-user can run with 'secure boot' fully enabled, with only signed files being loadable as part of the O/S -- using either Fedora-supplied signed files, -or- files that they, themselves, have signed. OR, with BIOS signing required (the 'thin shim' loader) but signing of subsequent files -not- required, OR, (if the hardware manufacturer allows it) with BIOS signing disabled.