Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 06 Jun 2012 08:32:02 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        FreeBSD <freebsd-questions@FreeBSD.org>
Cc:        Jerry <jerry@seibercom.net>
Subject:   Re: Is this something we (as consumers of FreeBSD) need to be aware of?
Message-ID:  <4FCF0772.8000609@FreeBSD.org>
In-Reply-To: <20120605181055.4af65fdb@scorpio>
References:  <CADy1Ce7MihpmMowc265%2BS_RKorMO3KEKsCgr=pdnjg2jzq-dYQ@mail.gmail.com> <20120605203717.5663bdf7.freebsd@edvax.de> <Pine.GSO.4.64.1206051653120.5642@nber6> <20120605181055.4af65fdb@scorpio>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBF5E2C979C77396F49AE282C
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 05/06/2012 23:10, Jerry wrote:
> I thought this URL <http://mjg59.dreamwidth.org/12368.html>; also shown
> above, answered that question.

Signing bootloaders and kernels etc. seems superficially like a good
idea to me.  However, instant reaction is that this is definitely *not*
something that Microsoft should be in charge of.  Some neutral[*] body
without any commercial interests should do that job, and
bootloader/kernel signing should be freely available.

On deeper thought though, the whole idea appears completely unworkable.
 It means that you will not be able to compile your own kernel or
drivers unless you have access to a signing key.  As building your own
is pretty fundamental to the FreeBSD project, the logical consequence is
that FreeBSD source should come with a signing key for anyone to use.

Which completely abrogates the whole point of signing
bootloaders/kernels in the first place: anyone wishing to create malware
would be able to sign whatever they want using such a key.  It's
DRM-level stupidity all over again.

My conclusion: boycott products, manufacturers and/or OSes that
participate in this scheme.  FreeBSD alone won't make any real
difference to manufacturers, but I hope there is still enough of the
original spirit of freedom within the Linux camp, and perhaps from
Google/android to make an impact.

I'm pretty sure there can be a way of whitelisting bootloaders and so
forth to help prevent low-level malware, but this isn't it.

	Cheers,

	Matthew

[*] I suggest ICANN might be the right sort of organization to fulfil
this role.

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--------------enigBF5E2C979C77396F49AE282C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/PB3gACgkQ8Mjk52CukIx9LgCbBmNtDg1YqRwO+oa46m4gSmQa
ca4An3YfDY/vqC5q64TnUIPPyP9yA2vW
=7TiR
-----END PGP SIGNATURE-----

--------------enigBF5E2C979C77396F49AE282C--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FCF0772.8000609>