From owner-freebsd-questions@FreeBSD.ORG  Tue Jun  5 21:06:55 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0942A106566B
	for <questions@freebsd.org>; Tue,  5 Jun 2012 21:06:55 +0000 (UTC)
	(envelope-from feenberg@nber.org)
Received: from mail2.nber.org (mail2.nber.org [66.251.72.79])
	by mx1.freebsd.org (Postfix) with ESMTP id A6CCC8FC18
	for <questions@freebsd.org>; Tue,  5 Jun 2012 21:06:54 +0000 (UTC)
Received: from nber6 (nber6.nber.org [66.251.72.76])
	by mail2.nber.org (8.14.4/8.14.4) with ESMTP id q55L6f8e075834;
	Tue, 5 Jun 2012 17:06:42 -0400 (EDT)
	(envelope-from feenberg@nber.org)
Date: Tue, 5 Jun 2012 17:00:14 -0400 (EDT)
From: Daniel Feenberg <feenberg@nber.org>
X-X-Sender: feenberg@nber6
To: Polytropon <freebsd@edvax.de>
In-Reply-To: <20120605203717.5663bdf7.freebsd@edvax.de>
Message-ID: <Pine.GSO.4.64.1206051653120.5642@nber6>
References: <CADy1Ce7MihpmMowc265+S_RKorMO3KEKsCgr=pdnjg2jzq-dYQ@mail.gmail.com>
	<20120605203717.5663bdf7.freebsd@edvax.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.39/RELEASE,
	bases: 20120605 #8133913, check: 20120605 clean
Cc: Kurt Buff <kurt.buff@gmail.com>, FreeBSD Questions <questions@freebsd.org>
Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware
 of?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2012 21:06:55 -0000



On Tue, 5 Jun 2012, Polytropon wrote:

> On Tue, 5 Jun 2012 11:19:26 -0700, Kurt Buff wrote:
>> UEFI considerations drive Fedora to pay MSFT to sign their kernel binaries
>> http://cwonline.computerworld.com/t/8035515/1292406/565573/0/
>
> I may reply with another link:
> http://mjg59.dreamwidth.org/12368.html
>

I have a pretty basic question that probably displays some ignorance...

Does the loader need to be signed? Once signed, can it load anything, or 
just things MS has approved? If MS signs the kernel, can the kernel run 
anything, or just things MS has approved? If RH has a signed kernel, do 
they have to sign all the userland programs that run under that kernel? 
Can users sign programs compiled from source?

If MS only has to sign the first link in the chain, then the $99 
certificate is not really a problem except for the pure of heart. If MS or 
someone else has to sign all the way down to the userland binaries, then 
users of FreeBSD will have to turn off secure boot in CMOS, and it will 
lose a few users. But I can't tell from the discussions mentioned above. 
Either way, I don't think it will destroy FreeBSD, or Linux, but I would 
be interested anyway.

Daniel Feenberg