Date: Wed, 6 Jun 2012 16:13:45 -0400 From: grarpamp <grarpamp@gmail.com> To: freebsd-questions@freebsd.org Subject: UEFI Secure Boot Specs - And some sanity Message-ID: <CAD2Ti2_SHrW5U3FM5FDuuddkBijKs_z%2BnsaViQBT6uF9X3b8Eg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Isn't there a lot of needless handwaving going on when the spec is pretty clear that installing your own complete PKI tree will all boil down to what is effectively a jumper on the motherboard? First, some sanity... Users could fully utilize the UEFI Secure Boot hardware by say: - Using openssl to generate their keys - Jumper the board, burn it into the BIOS in UEFI SB SetupMode - Have all the MBR, slice, partition, installkernel, etc tools install and manage the signed disk/loader/kernel/module bits - Have the BIOS check sigs on whatever first comes off the media I don't see that the user will actually NOT be able to do this on anything but 'designed for windows only' ARM systems. Seeing how open Android/Linux is firmly in that space, this will just devalue the non open windows product. There have been 25 years of generic mass produced motherboards. And 25 years of open source OS commits to utilize them. That is not changing anytime soon. Non generic attempts fail. Even corporate kings Dell and HP know they would be foolish to sell motherboards that will not allow their buyers to swap out the PK keys... because they know their buyers run more than just windows and that they need various security models. And if they really were that dumb, there's Gigabyte, Asus, Msi, Supermicro, Biostar, etc who will not be so dumb and will soak up all the remaining sales gravy. The masses have seen and now want openness, open systems, sharing. The old models are but speed bumps on their own way out the door. Though it seems a non issue to me, if you want to protest, protest for 'Setup Mode'. And not here on this list, but to the hardware makers. We should want to use this PKI in our systems. Not disable it. Not pay $100 to terminate the PKI chain early. Not pay $100 to lock us into unmodifiable releases (aka: BSD corporate version). I look forward to seeing the UEFI SB PK SetupMode AMD and Intel generic motherboard list :) On to facts... http://www.uefi.org/ Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface https://en.wikipedia.org/wiki/Unified_EFI_Forum http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot http://mjg59.dreamwidth.org/12368.html http://mjg59.livejournal.com/ https://www.tianocore.org/ http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti2_SHrW5U3FM5FDuuddkBijKs_z%2BnsaViQBT6uF9X3b8Eg>