Is this something we (as consumers of FreeBSD) need to be aware of?

Robert Bonomi bonomi at
Wed Jun 6 16:17:14 UTC 2012

RW <rwmaillists at> wrote:
> On Wed, 6 Jun 2012 07:36:24 -0400 > Jerry wrote:
> > In any event, it won't belong before some hacker comes up with a way
> > to circumvent the entire process anyway,
> It sounds like Fedora already have. They say that they are only going to
> sign a thin shim that loads grub.

"not exactly."  *GRIN*

Fedora'a 'thin shim' will be signed, to keep an (always-, or other) enabled
'secure BIOS' loader happy.

Fedora will provide an option -- which will remain 'user-settable' (regardless
of whether the 'secure BIOS' signature is mandatory -- to either ENFORCE or
IGNORE a requirement for valid 'signatures' on the subsequently loaded pieces
of the O/S -- 2nd/3rd/etc-stage boot loaders, the kernel itself, any loadable
modules, etc.   And, Fedora will sign all _Fedora-supplied_ files that meet
that criteria.  Thus an end-user can run with 'secure boot' fully enabled,
with only signed files being loadable as part of the O/S -- using either
Fedora-supplied signed files, -or- files that they, themselves, have signed.
OR, with BIOS signing required (the 'thin shim' loader) but signing of
subsequent files -not- required, OR, (if the hardware manufacturer allows it)
with BIOS signing disabled.

More information about the freebsd-questions mailing list