From owner-freebsd-hardware@FreeBSD.ORG Fri Jun 8 22:17:11 2012 Return-Path: Delivered-To: freebsd-hardware@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9F9A8106566C for ; Fri, 8 Jun 2012 22:17:11 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by mx1.freebsd.org (Postfix) with ESMTP id 31EFE8FC14 for ; Fri, 8 Jun 2012 22:17:11 +0000 (UTC) Received: by wibhm6 with SMTP id hm6so1681234wib.1 for ; Fri, 08 Jun 2012 15:17:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=YVDXMY3NZqd0Y1Vk9qsT0Kfieg0aB681HVcYwcHaFg4=; b=qCAxwL3437FyxqMTauyUbz/MWQnAu90YC6yYeZ9GaQgb4RbJhpY2rbUQgd1sQ/MOfC ds2fKWssY6IztNDfYLRKXnqVv/sin906qcPDwqZWAShjGXUXv61fE10XXcQOtYqjhiVC qO3Q2J9kM8BsZJZXw2o20bllSr6nvzmr2SX/JcUwCBTH7BautB9P6rauhM3Xxva5KGzt EykX7/e/5TaSXLwdauLXuvV49rQfdjyw0R0r8EcBP9VNTuzFHtZp2PzieXSoU1Y8ryZ0 8z8eMNmX2vKqGuL7AVHWnP0WWCNHozOn2sFYg44nPgvmqojeJsKrjBZEyP81gEDQSRRv DL2w== MIME-Version: 1.0 Received: by 10.216.196.166 with SMTP id r38mr2080986wen.161.1339193830209; Fri, 08 Jun 2012 15:17:10 -0700 (PDT) Received: by 10.180.84.39 with HTTP; Fri, 8 Jun 2012 15:17:10 -0700 (PDT) In-Reply-To: <201206081611.q58GBW0J097808@fire.js.berklix.net> References: <201206081611.q58GBW0J097808@fire.js.berklix.net> Date: Fri, 8 Jun 2012 18:17:10 -0400 Message-ID: From: grarpamp To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Sat, 09 Jun 2012 01:54:30 +0000 Cc: Subject: Re: UEFI Secure Boot Specs - And some sanity X-BeenThere: freebsd-hardware@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: General discussion of FreeBSD hardware List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 22:17:11 -0000 >> Isn't there a lot of needless handwaving going on when the spec is >> pretty clear that installing your own complete PKI tree will all >> boil down to what is effectively a jumper on the motherboard? > Hoping a jumper Might be under an easily unscrewable panel seems unlikely. I did say "effectively". If people would actually read that chapter in the spec (minimally 27.5) they would find that they can: - Load a new PK without asking if in default SetupMode - If not in SetupMode, chainload a new PK provided it is signed by the current PK. - Clear the PK in a 'secure platform specific method'. There's nothing that says PK SetupMode has to be a jumper. Entering the equivalent of good old pre-boot BIOS setup mode would work so long as the OS can't get to it without the request being signed by the current PK. The point of Secure Boot is firmware checked protection against software access... not physical access protection. The spec speaks liberally of 'platform owner' being able to do whatever they want. More handwaving about EULA's and branding aside, that means US. I seriously think that people are blowing this topic way out of context, and seeing it everywhere is getting really old. People should instead be working on the facts and writing the various motherboard manufacturers to ask them what their expected PK update model will be, and to educate them if not. And to work at committing it to their OS. And yes, that includes Compal and Quanta and those sorts of OEM laptop/embedded makers. I'll send $100 to the FreeBSD foundation if those retail board makers I listed don't give the option to install/replace the PK. Nuff said. ps: I don't really care what MS does with their own branded products in the embedded/small space. Plenty of millionaires out there now who are in tune with opensource who could startup, buy the same ARM/ATOM/etc chips, the same support chips, load Android and sell it to the masses. Lot's of overseas ODM's out there for them to pick from too. Phones, tablets, notebooks, laptops... it's all there. FreeBSD on your phone in 10 years.