Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 6 Jun 2012 16:39:30 -0700
From:      Kurt Buff <kurt.buff@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: UEFI Secure Boot Specs - And some sanity
Message-ID:  <CADy1Ce5FdZUH3goay7w38h%2BRsddQVNRy_txhiXdq%2BASpwzigzg@mail.gmail.com>
In-Reply-To: <CAD2Ti2_SHrW5U3FM5FDuuddkBijKs_z%2BnsaViQBT6uF9X3b8Eg@mail.gmail.com>
References:  <CAD2Ti2_SHrW5U3FM5FDuuddkBijKs_z%2BnsaViQBT6uF9X3b8Eg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for this.

I didn't realize that a simple (somewhat technical) question asked in
all innocence would generate so much flammage.

Kurt

On Wed, Jun 6, 2012 at 1:13 PM, grarpamp <grarpamp@gmail.com> wrote:
> Isn't there a lot of needless handwaving going on when the spec is
> pretty clear that installing your own complete PKI tree will all
> boil down to what is effectively a jumper on the motherboard?
>
>
> First, some sanity...
>
> Users could fully utilize the UEFI Secure Boot hardware by say:
>
> - Using openssl to generate their keys
> - Jumper the board, burn it into the BIOS in UEFI SB SetupMode
> - Have all the MBR, slice, partition, installkernel, etc tools
> install and manage the signed disk/loader/kernel/module bits
> - Have the BIOS check sigs on whatever first comes off the media
>
> I don't see that the user will actually NOT be able to do this on
> anything but 'designed for windows only' ARM systems. Seeing how
> open Android/Linux is firmly in that space, this will just devalue
> the non open windows product.
>
> There have been 25 years of generic mass produced motherboards.
> And 25 years of open source OS commits to utilize them.
> That is not changing anytime soon. Non generic attempts fail.
>
> Even corporate kings Dell and HP know they would be foolish to sell
> motherboards that will not allow their buyers to swap out the PK
> keys... because they know their buyers run more than just windows
> and that they need various security models.
>
> And if they really were that dumb, there's Gigabyte, Asus, Msi,
> Supermicro, Biostar, etc who will not be so dumb and will soak up
> all the remaining sales gravy.
>
> The masses have seen and now want openness, open systems, sharing.
> The old models are but speed bumps on their own way out the door.
>
> Though it seems a non issue to me, if you want to protest, protest
> for 'Setup Mode'. And not here on this list, but to the hardware
> makers.
>
> We should want to use this PKI in our systems. Not disable it. Not
> pay $100 to terminate the PKI chain early. Not pay $100 to lock us
> into unmodifiable releases (aka: BSD corporate version).
>
> I look forward to seeing the UEFI SB PK SetupMode AMD and Intel
> generic motherboard list :)
>
>
> On to facts...
>
> http://www.uefi.org/
> =C2=A0Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc
>
> https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
> https://en.wikipedia.org/wiki/Unified_EFI_Forum
> http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf
> https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot
> http://mjg59.dreamwidth.org/12368.html
> http://mjg59.livejournal.com/
> https://www.tianocore.org/
> http://www.avrfreaks.net/index.php?name=3DPNphpBB2&file=3Dviewtopic&p=3D9=
62584
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce5FdZUH3goay7w38h%2BRsddQVNRy_txhiXdq%2BASpwzigzg>