Is this something we (as consumers of FreeBSD) need to be aware
of?
Damien Fleuriot
ml at my.gd
Wed Jun 6 12:28:59 UTC 2012
On 6/6/12 1:19 PM, Daniel Feenberg wrote:
>
>
> On Wed, 6 Jun 2012, Matthew Seaman wrote:
>
>> On 05/06/2012 23:10, Jerry wrote:
>>> I thought this URL <http://mjg59.dreamwidth.org/12368.html> also shown
>>> above, answered that question.
>>
>> Signing bootloaders and kernels etc. seems superficially like a good
>> idea to me. However, instant reaction is that this is definitely *not*
>> something that Microsoft should be in charge of. Some neutral[*] body
> ...
>> On deeper thought though, the whole idea appears completely unworkable.
>> It means that you will not be able to compile your own kernel or
>> drivers unless you have access to a signing key. As building your own
>
> You don't need the signing key if you turn off secure boot in the CMOS.
> The fedora folk are worried that naive desktop users will not be able to
> do that, and usage of linux will be impeded. It won't be a significant
> impediment to users capable of compiling their own kernel.
>
>> is pretty fundamental to the FreeBSD project, the logical consequence is
>> that FreeBSD source should come with a signing key for anyone to use.
>>
>> Which completely abrogates the whole point of signing
>> bootloaders/kernels in the first place: anyone wishing to create malware
>> would be able to sign whatever they want using such a key. It's
>> DRM-level stupidity all over again.
>
> I do wonder about that. What incentive does the possesor of a signing
> key have to keep it secret? Apple keeps it's signing key secret because
> it gets a share of revenue from the sale of apps. If the fedora key
> became known it wouldn't hurt fedora. Can the UEFI BIOS consult a list
> of revoked keys online? That would be surprising.
>
> dan feenberg
Key revoked in the BIOS' next version, which will ship by default on
newer hardware.
No need for checking online.
More information about the freebsd-questions
mailing list