From owner-freebsd-questions@FreeBSD.ORG Tue Jul 9 01:54:49 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E08381B2 for ; Tue, 9 Jul 2013 01:54:49 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: from mail-ve0-x22b.google.com (mail-ve0-x22b.google.com [IPv6:2607:f8b0:400c:c01::22b]) by mx1.freebsd.org (Postfix) with ESMTP id A35711C5C for ; Tue, 9 Jul 2013 01:54:49 +0000 (UTC) Received: by mail-ve0-f171.google.com with SMTP id b10so4212495vea.16 for ; Mon, 08 Jul 2013 18:54:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HzASETr5ymhsf/3jB2vwuBAYWA9pa8eSelzSQL0SGWk=; b=x6tTvk8kddXK7n55nHuOxI5ZYYS9TO3OLpAvfe7aITJuJbdX7wXOq0k8BBazhkDR60 CnIqe0iDliANXm1obPFy8IiTyG/5IcyOjjHSJMs1rbVV40LwFbbjyQl4j8P3C9k9VJIH pYDVaKJ0UWb45iQ32tJf53eaTGS9ReoaoGnPlag7jIdzlEKCjATO02L3o6Wig6YEyrOi kOw+NSA5Id3S91l4c13Yvc5lnNMnalszmxWpnPdzHDmfvpZqoFTFjFsNM10yvZHi2I/M 6kCXqKElzVrMpCoruFoIROuUXK9O0jv8D0RCd2vKxYQBDccHZ3+JQWw8hDNipwnw6fcA rd+g== MIME-Version: 1.0 X-Received: by 10.58.118.200 with SMTP id ko8mr15182170veb.94.1373334889132; Mon, 08 Jul 2013 18:54:49 -0700 (PDT) Received: by 10.59.11.225 with HTTP; Mon, 8 Jul 2013 18:54:49 -0700 (PDT) In-Reply-To: <20130709023140.9c7c4f40.freebsd@edvax.de> References: <20130709023140.9c7c4f40.freebsd@edvax.de> Date: Mon, 8 Jul 2013 21:54:49 -0400 Message-ID: Subject: Re: UEFI Secure Boot From: Mehmet Erol Sanliturk To: Polytropon Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: jb , FreeBSD Questions Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 01:54:49 -0000 On Mon, Jul 8, 2013 at 8:31 PM, Polytropon wrote: > On Mon, 8 Jul 2013 16:21:28 +0000 (UTC), jb wrote: > > I hope FreeBSD (and other OSs) luminaries, devs and users will find a > way not > > to harm themselves. > > A massive problem I (personally) have is that with Restricted Boot > (this is what "Secure Boot" basically is) you are no longer able > to _ignore_ MICROS~1 and their products. A restrictive boot loader > mechanism that requires signed and confirmed keys, handled by a > major offender of free decisions and a healthy market - no thanks. > What prevents MICROS~1 from revoking keys of a possible competitor? > Or from messing with the specs just that things start breaking? > > Don't get me wrong: I don't even argument that a mechanism where > a competitor requires you to pay money to run _your_ software > instead of _their_ software sounds horribly wrong. This approach > will introduce a philosophical or even legal context to the > technical problem. > > I see interesting chances in UEFI per se. It can be called a kind > of "micro-OS" which can be rich on features that could also be > useful. But history has shown that if such an infrastructure is > provided, it will lead to bloated, insecure and incompatible > implementations quickly, and the worst, it will happen at a very > low level. This is simly dangerous. > > Regarding UEFI + Restricted Boot: To obtain MICROS~1's sticker of > approval for hardware, vendors need to implement those features. > Even worse, on _specific_ platforms, they are not allowed to make > it possible to _remove_ those features, so "on by default" is > required - if I remember correctly (Intel vs. ARM architectures). > > As you see, I try to ignore this whole topic as I am not interested > in using it. In the past, this has been possible. When building a > new system, buying a blank disk and _no_ "Windows" was particularly > easy. For systems that already came with some "Windows" preinstalled, > simply deleting the partition was a solution; install FreeBSD boot > mechanism, initialize disk, and be done. No more dealing with what > MICROS~1 seems to insist is "normal". When _their_ product decisions > make _me_ invest time to find a way to remove and ignore them, I > feel offended. > > I would like to see a way UEFI hardware, with or without Restricted > Boot, can be used with FreeBSD _without_ involving the "good will" > of MICROS~1. But as they have already gotten their fingers everywhere, > this doesn't seem to happen all too soon... :-( > > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > To assume that UEFI with some magic numbers is a security provider with current hardware is only a day dream . Consider stolen security signing keys and other by-passing mechanisms . For me , I think , over time there will exist free , but really free operating systems which they are not enslaved themselves to some companies , and hardware ( mainly main boards ) which will not require such enslaving . Then , to do task is just plainly to switch to such hardware and software . Personally , I will never want to live under a restriction tried to be enforced by a company and blindly accepted by its followers . I think I am not the only one in the world . Thank you very much . Mehmet Erol Sanliturk