Date: Thu, 14 Jun 2012 17:31:49 +0200 From: "Julian H. Stacey" <jhs@berklix.com> To: "C. P. Ghost" <cpghost@cordula.ws> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? Message-ID: <201206141531.q5EFVnt4085652@fire.js.berklix.net> In-Reply-To: Your message "Thu, 14 Jun 2012 09:51:46 %2B0200." <CADGWnjW2LnrtOiXFzWFk9btMaeJhmOTxdZ7ScymY=qGME_cBgg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Reference: > From: "C. P. Ghost" <cpghost@cordula.ws> > Date: Thu, 14 Jun 2012 09:51:46 +0200 > Message-id: <CADGWnjW2LnrtOiXFzWFk9btMaeJhmOTxdZ7ScymY=qGME_cBgg@mail.gmail.com> "C. P. Ghost" wrote: > On Tue, Jun 5, 2012 at 8:19 PM, Kurt Buff <kurt.buff@gmail.com> wrote: > > UEFI considerations drive Fedora to pay MSFT to sign their kernel binaries > > http://cwonline.computerworld.com/t/8035515/1292406/565573/0/ > > > > This would seem to make compiling from source difficult. > > > > Kurt > > I'm not sure I understand the issue, but this is my take on it > so far: > > 1. What's preventing the makers of boot loaders like GRUB (which can > also boot FreeBSD) from getting a certificate ONCE? And if they have > one, what's preventing them from loading ANY kernel at all? If you read Fedora's page they were planning to tighten their boot sequence to then only boot their approved binary kernels. Not that others ( eg us) would have to, presumably we could leave it wide open (aside of terms of purchase see discussion earlier in thread), (aside of risk of key revocation on some hardware manufacturers) Risk of key revocation later If hardware manufacturer ships new bios or uefi, or user upgrades to new UEFI (eg I as a user must upgrade a uefi soon as a laptop overheats). + if MS get away with this intrusion, next they'll consider requiring a "Call Home" demon (that could also run on *UX, I guess they'd be pleased to provide source free of charge for that next stage entrapment ! ;-) that all PC users must run periodicaly, to update UEFI table with new revised list of authorised keys. > It is only > the first stage boot loader that needs to be signed, or not? Far as I've read, yes. I wasn't sure about AMD so I looked here: /usr/ports/sysutils/grub/Makefile ONLY_FOR_ARCHS= i386 http://www.gnu.org/software/grub/grub-faq.html (Re Grub 2) The current release is working on Intel/AMD PCs, OpenFirmware-based PowerPC machines (PowerMac and Pegasos), EFI-based PC (IntelMac) and coreboot (formerly, LinuxBIOS), and is being ported to UltraSparc. > 2. What's preventing anyone of us in the EU from stepping up > efforts with the EU Commission and the EU Parliament to stop > Microsoft from monopolizing the ARM (and later x86) platforms, > i.e. by becoming the only gatekeepers? After all, EU sovereign > states and their economies can't depend on a US corporation > having a global kill switch to their whole infrastructure. We're not > just talking about Windows dominance here, but a lot more: > dominance on the whole hardware segment. I'm pretty sure this > scheme is highly anti-competitive, and I guess it runs afoul of a lot > of already existing EU regulations. I think we will need to contact the EU, hence assembling URLs first: http://berklix.org/uefi/ Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, & indent with "> ". Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206141531.q5EFVnt4085652>