From owner-freebsd-questions@FreeBSD.ORG Tue Jul 9 00:36:36 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 09E5B60C for ; Tue, 9 Jul 2013 00:36:36 +0000 (UTC) (envelope-from noeldude@gmail.com) Received: from mail-yh0-x22f.google.com (mail-yh0-x22f.google.com [IPv6:2607:f8b0:4002:c01::22f]) by mx1.freebsd.org (Postfix) with ESMTP id C2B551882 for ; Tue, 9 Jul 2013 00:36:35 +0000 (UTC) Received: by mail-yh0-f47.google.com with SMTP id f64so2085646yha.20 for ; Mon, 08 Jul 2013 17:36:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type:x-antivirus :x-antivirus-status; bh=WwLUj9MykCGY7092DlPvmSxSSqrjzFRbb1pGr9Rw2EI=; b=odQxew57EC+Zr+1F7S0/uyv1UoLWn8MinZXFUSfGGVm6XxvfMV3Xp0fnif7IaezFs5 h3vfxl84P4/bDjY8d1hWwEFj6Hhnma5XAZg7I4zrurnuq2FAeelcWrCLalA9QHbLsNW4 vHbJpjIBeSthsyK/N9f/zfDcLspnoV6QipYTs+tzzC3Xg/eZzfi5lHxJDseLspvUiKHY sV0akEpz2aAML81aNCnLqFiBSNlVYnJoC6jtTk7+gP8qtgtfZo3w7b16etwCqmsYcWtm D6HmZarVxAI6BnsqePDfk9QvWN/wyyDeKITe99/520fusNbTozeLVfz793y9OBFNSisk zszg== X-Received: by 10.236.45.66 with SMTP id o42mr13591679yhb.198.1373330194947; Mon, 08 Jul 2013 17:36:34 -0700 (PDT) Received: from [127.0.0.1] (adsl-98-87-167-150.bna.bellsouth.net. [98.87.167.150]) by mx.google.com with ESMTPSA id x52sm40822649yhh.18.2013.07.08.17.36.33 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 08 Jul 2013 17:36:34 -0700 (PDT) Message-ID: <51DB5B0F.4000307@gmail.com> Date: Mon, 08 Jul 2013 19:36:31 -0500 From: Noel User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: UEFI Secure Boot References: <1373322278.15315.38.camel@lenovo.lenzicasa> <13CA24D6AB415D428143D44749F57D7201FB74C7@ltcfiswmsgmb21> In-Reply-To: <13CA24D6AB415D428143D44749F57D7201FB74C7@ltcfiswmsgmb21> X-Enigmail-Version: 1.5.1 X-Antivirus: avast! (VPS 130708-0, 07/08/2013), Outbound message X-Antivirus-Status: Clean Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 00:36:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/8/2013 6:28 PM, Teske, Devin wrote: > On Jul 8, 2013, at 3:24 PM, Sergio de Almeida Lenzi wrote: > > [snip] > >> >> So the question: >> Why or when will I need an secure UEFI boot??? >> > > From what I've read of UEFI Secure boot, I've parceled out into these nuggets: > > (correct any nuggets I got wrong) > > 1. UEFI Secure boot is actually UEFI + Secure boot. You can disable Secure boot and still have UEFI. > > 2. Windows 8 requires UEFI Secure boot to ... boot. Not entirely correct. Microsoft licensing requires UEFI Secure boot for PCs sold with preinstalled Win8 and the "Windows 8" logo. Win8 itself boots and runs fine on legacy hardware without UEFI (and often outperforms XP or Win7 on the same hardware). But the real-world end result is the vast majority of future computers will be sold with UEFI secure boot enabled as the default. > > > 3. Any OS can work with UEFI Secure boot... you just have to sign your drivers (which puts a burden on development, testing, etc.) > > 4. FreeBSD today can work on a machine if you disable UEFI (implied disabling of Secure boot sub-feature) > > 5. FreeBSD could eventually support UEFI. > > 6. Don't know if we want to support secure-boot... but I think we should. It's really up to how the end-user wants FreeBSD to function. If they want FreeBSD to reject module-loads for custom-compiled modules, secure boot seems to be a way to go. But for me at least, I won't be enabling it (even if we support it). However, I know customers that might think it's a great idea (think financial institutions running FreeBSD on bare metal both as workstations and servers). > > Now, I must admit, when the conversation of UEFI and Secure boot starts turning toward involving M$, I get confused. > > To my understanding, it's a methodology to allow a customer to secure his/her box against root-kit. The OS does this by communicating with the UEFI framework the keys of modules to load. That's between the BIOS and the OS (whatever OS you may be running). -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR21sPAAoJEHIluGOd3V4FGmgH/2vcwWP5juy7txU7pS5oTPdA MXc29tAIpPcLuGILyFICKtjlZ3isINX8kwBA9xZKoSjiDSCng/I+90+dIjpukAt2 DwLuek6+7oC9dYaBDxobjhhoogw5txcKnqwVhC4LjpBdQMuTiJSIunQOOzqqEybU kvedi5nlmmso6GYVYEKLRS7NrbgMW9W+2TvwrYOcBJw3yTeN4XRcpk7rQRi/U0+/ oRqxy1W9z51T6sGdO5UrkdxQEcNT6UgJedIo/0QLNUPOPEzGbapqak1QCbDSpxDc G8GOPLZnSrTM/FnM8KMzFaM2C6yoMyJHqsCs4tsbu1sRGxpLbs3HUJF984HTRDw= =vozW -----END PGP SIGNATURE-----