From owner-freebsd-questions@FreeBSD.ORG Wed Jun 6 23:39:31 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C2545106564A for ; Wed, 6 Jun 2012 23:39:31 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7C8FD8FC12 for ; Wed, 6 Jun 2012 23:39:31 +0000 (UTC) Received: by ggnm2 with SMTP id m2so8892ggn.13 for ; Wed, 06 Jun 2012 16:39:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=88rW1WZQqj4R5BY9NlbDOoPuSw8y1vzsPFDUtNkgd6E=; b=bp5KILOpDRQgic/j/nJ5QNR8lF+uMNTnLPanlU60VnW0v38l3Fa9Pnhy4VQio6lwvi 8xfRo7wJlqFzNjma+z6wsTAhrgEjqdXZTFVxSdlXvH7e9LZIFmSPknkyS7A+oteywef9 04knUxelKMZ9ZhF3j3CyVRlhEH8RZz6/Fyf+uTxnpnl++jl2o9kFnWeigsFacT3XM+kc z4hwrMl8f//ICITsi2XedWL4iSKuM3gIPC+Lye29f0WeXRSbeR+K+ULbsiIwv5momAlB Uj5R4LYzisvnz30kUE6VtDvL3rmZfG+zyF7sWHoTnQwAqTum6NU9REEnuY+/l5/2Brj4 w6pw== MIME-Version: 1.0 Received: by 10.236.190.199 with SMTP id e47mr17839897yhn.107.1339025970886; Wed, 06 Jun 2012 16:39:30 -0700 (PDT) Received: by 10.147.123.13 with HTTP; Wed, 6 Jun 2012 16:39:30 -0700 (PDT) In-Reply-To: References: Date: Wed, 6 Jun 2012 16:39:30 -0700 Message-ID: From: Kurt Buff To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: UEFI Secure Boot Specs - And some sanity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2012 23:39:31 -0000 Thank you for this. I didn't realize that a simple (somewhat technical) question asked in all innocence would generate so much flammage. Kurt On Wed, Jun 6, 2012 at 1:13 PM, grarpamp wrote: > Isn't there a lot of needless handwaving going on when the spec is > pretty clear that installing your own complete PKI tree will all > boil down to what is effectively a jumper on the motherboard? > > > First, some sanity... > > Users could fully utilize the UEFI Secure Boot hardware by say: > > - Using openssl to generate their keys > - Jumper the board, burn it into the BIOS in UEFI SB SetupMode > - Have all the MBR, slice, partition, installkernel, etc tools > install and manage the signed disk/loader/kernel/module bits > - Have the BIOS check sigs on whatever first comes off the media > > I don't see that the user will actually NOT be able to do this on > anything but 'designed for windows only' ARM systems. Seeing how > open Android/Linux is firmly in that space, this will just devalue > the non open windows product. > > There have been 25 years of generic mass produced motherboards. > And 25 years of open source OS commits to utilize them. > That is not changing anytime soon. Non generic attempts fail. > > Even corporate kings Dell and HP know they would be foolish to sell > motherboards that will not allow their buyers to swap out the PK > keys... because they know their buyers run more than just windows > and that they need various security models. > > And if they really were that dumb, there's Gigabyte, Asus, Msi, > Supermicro, Biostar, etc who will not be so dumb and will soak up > all the remaining sales gravy. > > The masses have seen and now want openness, open systems, sharing. > The old models are but speed bumps on their own way out the door. > > Though it seems a non issue to me, if you want to protest, protest > for 'Setup Mode'. And not here on this list, but to the hardware > makers. > > We should want to use this PKI in our systems. Not disable it. Not > pay $100 to terminate the PKI chain early. Not pay $100 to lock us > into unmodifiable releases (aka: BSD corporate version). > > I look forward to seeing the UEFI SB PK SetupMode AMD and Intel > generic motherboard list :) > > > On to facts... > > http://www.uefi.org/ > =C2=A0Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc > > https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface > https://en.wikipedia.org/wiki/Unified_EFI_Forum > http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf > https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot > http://mjg59.dreamwidth.org/12368.html > http://mjg59.livejournal.com/ > https://www.tianocore.org/ > http://www.avrfreaks.net/index.php?name=3DPNphpBB2&file=3Dviewtopic&p=3D9= 62584 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg"