Is this something we (as consumers of FreeBSD) need to be aware of?

Damien Fleuriot ml at
Wed Jun 6 12:28:59 UTC 2012

On 6/6/12 1:19 PM, Daniel Feenberg wrote:
> On Wed, 6 Jun 2012, Matthew Seaman wrote:
>> On 05/06/2012 23:10, Jerry wrote:
>>> I thought this URL <> also shown
>>> above, answered that question.
>> Signing bootloaders and kernels etc. seems superficially like a good
>> idea to me.  However, instant reaction is that this is definitely *not*
>> something that Microsoft should be in charge of.  Some neutral[*] body
> ...
>> On deeper thought though, the whole idea appears completely unworkable.
>> It means that you will not be able to compile your own kernel or
>> drivers unless you have access to a signing key.  As building your own
> You don't need the signing key if you turn off secure boot in the CMOS.
> The fedora folk are worried that naive desktop users will not be able to
> do that, and usage of linux will be impeded. It won't be a significant
> impediment to users capable of compiling their own kernel.
>> is pretty fundamental to the FreeBSD project, the logical consequence is
>> that FreeBSD source should come with a signing key for anyone to use.
>> Which completely abrogates the whole point of signing
>> bootloaders/kernels in the first place: anyone wishing to create malware
>> would be able to sign whatever they want using such a key.  It's
>> DRM-level stupidity all over again.
> I do wonder about that. What incentive does the possesor of a signing
> key have to keep it secret? Apple keeps it's signing key secret because
> it gets a share of revenue from the sale of apps. If the fedora key
> became known it wouldn't hurt fedora. Can the UEFI BIOS consult a list
> of revoked keys online? That would be surprising.
> dan feenberg

Key revoked in the BIOS' next version, which will ship by default on
newer hardware.

No need for checking online.

More information about the freebsd-questions mailing list