Date: Mon, 08 Jul 2013 19:36:31 -0500 From: Noel <noeldude@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: UEFI Secure Boot Message-ID: <51DB5B0F.4000307@gmail.com> In-Reply-To: <13CA24D6AB415D428143D44749F57D7201FB74C7@ltcfiswmsgmb21> References: <loom.20130708T182036-992@post.gmane.org> <1373322278.15315.38.camel@lenovo.lenzicasa> <13CA24D6AB415D428143D44749F57D7201FB74C7@ltcfiswmsgmb21>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/8/2013 6:28 PM, Teske, Devin wrote: > On Jul 8, 2013, at 3:24 PM, Sergio de Almeida Lenzi wrote: > > [snip] > >> >> So the question: >> Why or when will I need an secure UEFI boot??? >> > > From what I've read of UEFI Secure boot, I've parceled out into these nuggets: > > (correct any nuggets I got wrong) > > 1. UEFI Secure boot is actually UEFI + Secure boot. You can disable Secure boot and still have UEFI. > > 2. Windows 8 requires UEFI Secure boot to ... boot. Not entirely correct. Microsoft licensing requires UEFI Secure boot for PCs sold with preinstalled Win8 and the "Windows 8" logo. Win8 itself boots and runs fine on legacy hardware without UEFI (and often outperforms XP or Win7 on the same hardware). But the real-world end result is the vast majority of future computers will be sold with UEFI secure boot enabled as the default. > > > 3. Any OS can work with UEFI Secure boot... you just have to sign your drivers (which puts a burden on development, testing, etc.) > > 4. FreeBSD today can work on a machine if you disable UEFI (implied disabling of Secure boot sub-feature) > > 5. FreeBSD could eventually support UEFI. > > 6. Don't know if we want to support secure-boot... but I think we should. It's really up to how the end-user wants FreeBSD to function. If they want FreeBSD to reject module-loads for custom-compiled modules, secure boot seems to be a way to go. But for me at least, I won't be enabling it (even if we support it). However, I know customers that might think it's a great idea (think financial institutions running FreeBSD on bare metal both as workstations and servers). > > Now, I must admit, when the conversation of UEFI and Secure boot starts turning toward involving M$, I get confused. > > To my understanding, it's a methodology to allow a customer to secure his/her box against root-kit. The OS does this by communicating with the UEFI framework the keys of modules to load. That's between the BIOS and the OS (whatever OS you may be running). -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR21sPAAoJEHIluGOd3V4FGmgH/2vcwWP5juy7txU7pS5oTPdA MXc29tAIpPcLuGILyFICKtjlZ3isINX8kwBA9xZKoSjiDSCng/I+90+dIjpukAt2 DwLuek6+7oC9dYaBDxobjhhoogw5txcKnqwVhC4LjpBdQMuTiJSIunQOOzqqEybU kvedi5nlmmso6GYVYEKLRS7NrbgMW9W+2TvwrYOcBJw3yTeN4XRcpk7rQRi/U0+/ oRqxy1W9z51T6sGdO5UrkdxQEcNT6UgJedIo/0QLNUPOPEzGbapqak1QCbDSpxDc G8GOPLZnSrTM/FnM8KMzFaM2C6yoMyJHqsCs4tsbu1sRGxpLbs3HUJF984HTRDw= =vozW -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51DB5B0F.4000307>