From owner-freebsd-questions@FreeBSD.ORG Fri Jun 15 00:23:30 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 011A7106564A for ; Fri, 15 Jun 2012 00:23:30 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id C65E28FC0C for ; Fri, 15 Jun 2012 00:23:29 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so4804499pbb.13 for ; Thu, 14 Jun 2012 17:23:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=jrvEFme9Xy2a8XBVjBwYXmCKGtskexgmXiNHKgHovQk=; b=KbCdGJvKuuMFru2FJhaAFUosjDGhhIjc3aKXArEDcejUNmkFmwcNpWpsHQTZwTo8if sC1rIerVL3GeqrDlgldvBigR4TKSbJq0EfE3Ksplv45DGJjc2feCnJ+ELvJOEnLaL2Xg IzX6wZA+mXTkaT8o7qlKfNUqinXTwRysEDtCjfCBUOanUpVXZT2vSMrSiX+lpH3CP+mg 4+zXZD2D2AO11ZvKdrusXbGVyyOn2ouFDucFYRiIr39+bAWTI6UU8oCBlWENrCoaxPhB WXgFmbgel+vuHUoREslIGQvy00FinAZty27eU2ZFB9+S4f7gGf2u228Ab9YnbnF3emR2 1zjw== MIME-Version: 1.0 Received: by 10.68.200.104 with SMTP id jr8mr14108784pbc.9.1339719809334; Thu, 14 Jun 2012 17:23:29 -0700 (PDT) Received: by 10.68.225.3 with HTTP; Thu, 14 Jun 2012 17:23:29 -0700 (PDT) X-Originating-IP: [93.221.175.200] In-Reply-To: References: <201206081611.q58GBW0J097808@fire.js.berklix.net> Date: Fri, 15 Jun 2012 02:23:29 +0200 Message-ID: From: "C. P. Ghost" To: grarpamp Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQl+lHzfADoraaDijloVLmljjSaHytUsXdU4CMriPCkWJyE6KqOAPwcam10zLozwleViEKmP Cc: freebsd-questions@freebsd.org Subject: Re: UEFI Secure Boot Specs - And some sanity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 00:23:30 -0000 On Sat, Jun 9, 2012 at 12:17 AM, grarpamp wrote: > I did say "effectively". If people would actually read that chapter > in the spec (minimally 27.5) they would find that they can: > - Load a new PK without asking if in default SetupMode > - If not in SetupMode, chainload a new PK provided it is > signed by the current PK. > - Clear the PK in a 'secure platform specific method'. Only if they fully follow the spec. This is rather unlikely. Even today, there are still many broken DMI/SMBIOS tables out there that contain barely enough stuff for Windows to boot successfully. What makes you think UEFI BIOS makers will go all the trouble to implement such a complex spec, if all they have to do is to ensure compliance with MS requirements? I wouldn't count on an option or switch to override this system. Technically, we may very well have to replace the BIOS, or even the BIOS chip itself (that'll be fun if it is physically mounted on the board!), and replace it with a chip flashed with a free BIOS. And by then, the corps who are responsible for this UEFI mess will have made it illegal to 1. tinker with your own hardware, as it would be DRM circumvention and 2. implement a free UEFI BIOS as it would violate some UEFI patents. Basically, we may end up in a situation where running FreeBSD on a modified motherboard could be outright illegal. Which is exactly the point, isn't it? -cpghost. -- Cordula's Web. http://www.cordula.ws/