Date: Wed, 06 Jun 2012 08:32:02 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: FreeBSD <freebsd-questions@FreeBSD.org> Cc: Jerry <jerry@seibercom.net> Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? Message-ID: <4FCF0772.8000609@FreeBSD.org> In-Reply-To: <20120605181055.4af65fdb@scorpio> References: <CADy1Ce7MihpmMowc265%2BS_RKorMO3KEKsCgr=pdnjg2jzq-dYQ@mail.gmail.com> <20120605203717.5663bdf7.freebsd@edvax.de> <Pine.GSO.4.64.1206051653120.5642@nber6> <20120605181055.4af65fdb@scorpio>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBF5E2C979C77396F49AE282C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 05/06/2012 23:10, Jerry wrote: > I thought this URL <http://mjg59.dreamwidth.org/12368.html> also shown > above, answered that question. Signing bootloaders and kernels etc. seems superficially like a good idea to me. However, instant reaction is that this is definitely *not* something that Microsoft should be in charge of. Some neutral[*] body without any commercial interests should do that job, and bootloader/kernel signing should be freely available. On deeper thought though, the whole idea appears completely unworkable. It means that you will not be able to compile your own kernel or drivers unless you have access to a signing key. As building your own is pretty fundamental to the FreeBSD project, the logical consequence is that FreeBSD source should come with a signing key for anyone to use. Which completely abrogates the whole point of signing bootloaders/kernels in the first place: anyone wishing to create malware would be able to sign whatever they want using such a key. It's DRM-level stupidity all over again. My conclusion: boycott products, manufacturers and/or OSes that participate in this scheme. FreeBSD alone won't make any real difference to manufacturers, but I hope there is still enough of the original spirit of freedom within the Linux camp, and perhaps from Google/android to make an impact. I'm pretty sure there can be a way of whitelisting bootloaders and so forth to help prevent low-level malware, but this isn't it. Cheers, Matthew [*] I suggest ICANN might be the right sort of organization to fulfil this role. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigBF5E2C979C77396F49AE282C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/PB3gACgkQ8Mjk52CukIx9LgCbBmNtDg1YqRwO+oa46m4gSmQa ca4An3YfDY/vqC5q64TnUIPPyP9yA2vW =7TiR -----END PGP SIGNATURE----- --------------enigBF5E2C979C77396F49AE282C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FCF0772.8000609>