UEFI Secure Boot Specs - And some sanity
kurt.buff at gmail.com
Wed Jun 6 23:39:31 UTC 2012
Thank you for this.
I didn't realize that a simple (somewhat technical) question asked in
all innocence would generate so much flammage.
On Wed, Jun 6, 2012 at 1:13 PM, grarpamp <grarpamp at gmail.com> wrote:
> Isn't there a lot of needless handwaving going on when the spec is
> pretty clear that installing your own complete PKI tree will all
> boil down to what is effectively a jumper on the motherboard?
> First, some sanity...
> Users could fully utilize the UEFI Secure Boot hardware by say:
> - Using openssl to generate their keys
> - Jumper the board, burn it into the BIOS in UEFI SB SetupMode
> - Have all the MBR, slice, partition, installkernel, etc tools
> install and manage the signed disk/loader/kernel/module bits
> - Have the BIOS check sigs on whatever first comes off the media
> I don't see that the user will actually NOT be able to do this on
> anything but 'designed for windows only' ARM systems. Seeing how
> open Android/Linux is firmly in that space, this will just devalue
> the non open windows product.
> There have been 25 years of generic mass produced motherboards.
> And 25 years of open source OS commits to utilize them.
> That is not changing anytime soon. Non generic attempts fail.
> Even corporate kings Dell and HP know they would be foolish to sell
> motherboards that will not allow their buyers to swap out the PK
> keys... because they know their buyers run more than just windows
> and that they need various security models.
> And if they really were that dumb, there's Gigabyte, Asus, Msi,
> Supermicro, Biostar, etc who will not be so dumb and will soak up
> all the remaining sales gravy.
> The masses have seen and now want openness, open systems, sharing.
> The old models are but speed bumps on their own way out the door.
> Though it seems a non issue to me, if you want to protest, protest
> for 'Setup Mode'. And not here on this list, but to the hardware
> We should want to use this PKI in our systems. Not disable it. Not
> pay $100 to terminate the PKI chain early. Not pay $100 to lock us
> into unmodifiable releases (aka: BSD corporate version).
> I look forward to seeing the UEFI SB PK SetupMode AMD and Intel
> generic motherboard list :)
> On to facts...
> Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions