Is this something we (as consumers of FreeBSD) need to be aware of?

Jerry jerry at
Wed Jun 6 10:24:52 UTC 2012

On Wed, 06 Jun 2012 10:38:41 +0100
Matthew Seaman articulated:

>On 06/06/2012 09:45, Bruce Cran wrote:
>> On 06/06/2012 08:32, Matthew Seaman wrote:
>>> On deeper thought though, the whole idea appears completely
>>> unworkable. It means that you will not be able to compile your own
>>> kernel or drivers unless you have access to a signing key.  As
>>> building your own is pretty fundamental to the FreeBSD project, the
>>> logical consequence is that FreeBSD source should come with a
>>> signing key for anyone to use.
>> It just means that anyone wishing to run their own kernels would
>> either need to disable secure boot, or purchase/create their own
>> certificate and install it.
>Indeed.  However disabling secure boot is apparently:
>   * too difficult for users of Fedora
>   * not possible on all platforms (arm based tablets especially)
>and purchasing your own certificate currently means paying $99 to
>Microsoft, or else getting a key from the hardware manufacturer (which
>I very much suspect will not be free either).

I think you are in error there Matthew. From what I have read The $99
goes to Verisign, not Microsoft - further once paid you can sign as
many binaries as you want.

>While I would expect the typical FreeBSD user to be quite capable of
>disabling secure boot, I know that this is something that will result
>in realms of questions by new users, alarmist claims that "FreeBSD is
>not secure" and general glee amongst the "FreeBSD is dying" crowd.
>This is just another misconceived DRM scheme and suffers from all the
>same old flaws.

I don't feel this is misconceived at all. Again, from what I have read,
most non-Microsoft operating systems have been able to use UEFI Secure
Boot for nearly eight years; however, they have actively refused to do
so. However, now Microsoft has stepped up to the plate and is
actively taking advantage of the scheme. Actually, Microsoft has been
issuing warnings for ten years when a user would attempt to install
unsigned drivers. Now the FOSS community is getting its knickers in a
knot. They should have taken this into account a long time ago. In any
case, we are talking $99 dollars total, not per user here for the
certificate. If that is going to cause a problem, I'll donate the $99.
In any case, the real problem appears to be how FreeBSD is going to
handle drivers which apparently will need to be signed since they work
at the kernel level. Apparently Fedora has a working solution for that
all ready.

Jerry ♔

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list