Is this something we (as consumers of FreeBSD) need to be aware of?

Matthew Seaman matthew at
Wed Jun 6 07:32:14 UTC 2012

On 05/06/2012 23:10, Jerry wrote:
> I thought this URL <> also shown
> above, answered that question.

Signing bootloaders and kernels etc. seems superficially like a good
idea to me.  However, instant reaction is that this is definitely *not*
something that Microsoft should be in charge of.  Some neutral[*] body
without any commercial interests should do that job, and
bootloader/kernel signing should be freely available.

On deeper thought though, the whole idea appears completely unworkable.
 It means that you will not be able to compile your own kernel or
drivers unless you have access to a signing key.  As building your own
is pretty fundamental to the FreeBSD project, the logical consequence is
that FreeBSD source should come with a signing key for anyone to use.

Which completely abrogates the whole point of signing
bootloaders/kernels in the first place: anyone wishing to create malware
would be able to sign whatever they want using such a key.  It's
DRM-level stupidity all over again.

My conclusion: boycott products, manufacturers and/or OSes that
participate in this scheme.  FreeBSD alone won't make any real
difference to manufacturers, but I hope there is still enough of the
original spirit of freedom within the Linux camp, and perhaps from
Google/android to make an impact.

I'm pretty sure there can be a way of whitelisting bootloaders and so
forth to help prevent low-level malware, but this isn't it.



[*] I suggest ICANN might be the right sort of organization to fulfil
this role.

Dr Matthew J Seaman MA, D.Phil.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list