Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Jun 2012 16:13:45 -0400
From:      grarpamp <grarpamp@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   UEFI Secure Boot Specs - And some sanity
Message-ID:  <CAD2Ti2_SHrW5U3FM5FDuuddkBijKs_z%2BnsaViQBT6uF9X3b8Eg@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Isn't there a lot of needless handwaving going on when the spec is
pretty clear that installing your own complete PKI tree will all
boil down to what is effectively a jumper on the motherboard?


First, some sanity...

Users could fully utilize the UEFI Secure Boot hardware by say:

- Using openssl to generate their keys
- Jumper the board, burn it into the BIOS in UEFI SB SetupMode
- Have all the MBR, slice, partition, installkernel, etc tools
install and manage the signed disk/loader/kernel/module bits
- Have the BIOS check sigs on whatever first comes off the media

I don't see that the user will actually NOT be able to do this on
anything but 'designed for windows only' ARM systems. Seeing how
open Android/Linux is firmly in that space, this will just devalue
the non open windows product.

There have been 25 years of generic mass produced motherboards.
And 25 years of open source OS commits to utilize them.
That is not changing anytime soon. Non generic attempts fail.

Even corporate kings Dell and HP know they would be foolish to sell
motherboards that will not allow their buyers to swap out the PK
keys... because they know their buyers run more than just windows
and that they need various security models.

And if they really were that dumb, there's Gigabyte, Asus, Msi,
Supermicro, Biostar, etc who will not be so dumb and will soak up
all the remaining sales gravy.

The masses have seen and now want openness, open systems, sharing.
The old models are but speed bumps on their own way out the door.

Though it seems a non issue to me, if you want to protest, protest
for 'Setup Mode'. And not here on this list, but to the hardware
makers.

We should want to use this PKI in our systems. Not disable it. Not
pay $100 to terminate the PKI chain early. Not pay $100 to lock us
into unmodifiable releases (aka: BSD corporate version).

I look forward to seeing the UEFI SB PK SetupMode AMD and Intel
generic motherboard list :)


On to facts...

http://www.uefi.org/
 Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc

https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
https://en.wikipedia.org/wiki/Unified_EFI_Forum
http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf
https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot
http://mjg59.dreamwidth.org/12368.html
http://mjg59.livejournal.com/
https://www.tianocore.org/
http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti2_SHrW5U3FM5FDuuddkBijKs_z%2BnsaViQBT6uF9X3b8Eg>