Date: Wed, 06 Jun 2012 14:23:20 +0200 From: Damien Fleuriot <ml@my.gd> To: freebsd-questions@freebsd.org Subject: Re: Is this something we (as consumers of FreeBSD) need to be aware of? Message-ID: <4FCF4BB8.8040703@my.gd> In-Reply-To: <4FCF0772.8000609@FreeBSD.org> References: <CADy1Ce7MihpmMowc265%2BS_RKorMO3KEKsCgr=pdnjg2jzq-dYQ@mail.gmail.com> <20120605203717.5663bdf7.freebsd@edvax.de> <Pine.GSO.4.64.1206051653120.5642@nber6> <20120605181055.4af65fdb@scorpio> <4FCF0772.8000609@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/6/12 9:32 AM, Matthew Seaman wrote: > On 05/06/2012 23:10, Jerry wrote: >> I thought this URL <http://mjg59.dreamwidth.org/12368.html>; also shown >> above, answered that question. > > Signing bootloaders and kernels etc. seems superficially like a good > idea to me. However, instant reaction is that this is definitely *not* > something that Microsoft should be in charge of. Some neutral[*] body > without any commercial interests should do that job, and > bootloader/kernel signing should be freely available. > > On deeper thought though, the whole idea appears completely unworkable. > It means that you will not be able to compile your own kernel or > drivers unless you have access to a signing key. As building your own > is pretty fundamental to the FreeBSD project, the logical consequence is > that FreeBSD source should come with a signing key for anyone to use. > > Which completely abrogates the whole point of signing > bootloaders/kernels in the first place: anyone wishing to create malware > would be able to sign whatever they want using such a key. It's > DRM-level stupidity all over again. > > My conclusion: boycott products, manufacturers and/or OSes that > participate in this scheme. FreeBSD alone won't make any real > difference to manufacturers, but I hope there is still enough of the > original spirit of freedom within the Linux camp, and perhaps from > Google/android to make an impact. > > I'm pretty sure there can be a way of whitelisting bootloaders and so > forth to help prevent low-level malware, but this isn't it. > > Cheers, > > Matthew > > [*] I suggest ICANN might be the right sort of organization to fulfil > this role. > I agree with the whole post except that last bit about ICANN Matthew. The US already has enough dominance as is, without involving ICANN, a supposedly neutral body (yeah right...) any further.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FCF4BB8.8040703>