UEFI Secure Boot Specs - And some sanity

Anonymous Remailer (austria) mixmaster at remailer.privacy.at
Thu Jun 7 13:43:47 UTC 2012

> > Isn't there a lot of needless handwaving going on when the spec is
> > pretty clear that installing your own complete PKI tree will all
> > boil down to what is effectively a jumper on the motherboard?

No, considering 99.99% of of current Windows victims can't even install a
fresh copy of Windows.

> > Users could fully utilize the UEFI Secure Boot hardware by say:
> >
> > - Using openssl to generate their keys
> > - Jumper the board, burn it into the BIOS in UEFI SB SetupMode
> > - Have all the MBR, slice, partition, installkernel, etc tools
> > install and manage the signed disk/loader/kernel/module bits
> > - Have the BIOS check sigs on whatever first comes off the media

Yeah that's trivial for 99.99% of users. I have no idea what everyone is on
about.  I just program my own PROM and make my own motherboards.

Now back to reality, most people don't know how to use openssl. They don't
want to break the seal on their PC and void the warranty. They don't want to
play with jumpers. They don't know how to use Linux fdisk or BSD
disklabel. They can't set up their BIOS. They may not be the typical BSD or
Linux poweruser but they represent most users. And sadly even a significant
percentage of BSD and even a more significant percentage of Linux users
(thank you Ubuntu) aren't capable of doing these things.

> > And if they really were that dumb, there's Gigabyte, Asus, Msi,
> > Supermicro, Biostar, etc who will not be so dumb and will soak up
> > all the remaining sales gravy.

We're going to see if that happens but it won't. The WinTel Mafia controls
more than what you think and these vendors know they get many magnitudes
more money from selling Windows commodity shitboxes than they ever will from
all the BSD and Linux users multiplied together.

More information about the freebsd-questions mailing list