UEFI Secure Boot Specs - And some sanity

Kurt Buff kurt.buff at gmail.com
Wed Jun 6 23:39:31 UTC 2012

Thank you for this.

I didn't realize that a simple (somewhat technical) question asked in
all innocence would generate so much flammage.


On Wed, Jun 6, 2012 at 1:13 PM, grarpamp <grarpamp at gmail.com> wrote:
> Isn't there a lot of needless handwaving going on when the spec is
> pretty clear that installing your own complete PKI tree will all
> boil down to what is effectively a jumper on the motherboard?
> First, some sanity...
> Users could fully utilize the UEFI Secure Boot hardware by say:
> - Using openssl to generate their keys
> - Jumper the board, burn it into the BIOS in UEFI SB SetupMode
> - Have all the MBR, slice, partition, installkernel, etc tools
> install and manage the signed disk/loader/kernel/module bits
> - Have the BIOS check sigs on whatever first comes off the media
> I don't see that the user will actually NOT be able to do this on
> anything but 'designed for windows only' ARM systems. Seeing how
> open Android/Linux is firmly in that space, this will just devalue
> the non open windows product.
> There have been 25 years of generic mass produced motherboards.
> And 25 years of open source OS commits to utilize them.
> That is not changing anytime soon. Non generic attempts fail.
> Even corporate kings Dell and HP know they would be foolish to sell
> motherboards that will not allow their buyers to swap out the PK
> keys... because they know their buyers run more than just windows
> and that they need various security models.
> And if they really were that dumb, there's Gigabyte, Asus, Msi,
> Supermicro, Biostar, etc who will not be so dumb and will soak up
> all the remaining sales gravy.
> The masses have seen and now want openness, open systems, sharing.
> The old models are but speed bumps on their own way out the door.
> Though it seems a non issue to me, if you want to protest, protest
> for 'Setup Mode'. And not here on this list, but to the hardware
> makers.
> We should want to use this PKI in our systems. Not disable it. Not
> pay $100 to terminate the PKI chain early. Not pay $100 to lock us
> into unmodifiable releases (aka: BSD corporate version).
> I look forward to seeing the UEFI SB PK SetupMode AMD and Intel
> generic motherboard list :)
> On to facts...
> http://www.uefi.org/
>  Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc
> https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
> https://en.wikipedia.org/wiki/Unified_EFI_Forum
> http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf
> https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot
> http://mjg59.dreamwidth.org/12368.html
> http://mjg59.livejournal.com/
> https://www.tianocore.org/
> http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list