UEFI Secure Boot Specs - And some sanity

grarpamp grarpamp at gmail.com
Fri Jun 8 22:17:17 UTC 2012

>> Isn't there a lot of needless handwaving going on when the spec is
>> pretty clear that installing your own complete PKI tree will all
>> boil down to what is effectively a jumper on the motherboard?

> Hoping a jumper Might be under an easily unscrewable panel seems unlikely.

I did say "effectively". If people would actually read that chapter
in the spec (minimally 27.5) they would find that they can:
- Load a new PK without asking if in default SetupMode
- If not in SetupMode, chainload a new PK provided it is
signed by the current PK.
- Clear the PK in a 'secure platform specific method'.

There's nothing that says PK SetupMode has to be a
jumper. Entering the equivalent of good old pre-boot
BIOS setup mode would work so long as the OS can't
get to it without the request being signed by the current
PK. The point of Secure Boot is firmware checked protection
against software access... not physical access protection.

The spec speaks liberally of 'platform owner' being able
to do whatever they want. More handwaving about EULA's
and branding aside, that means US.

I seriously think that people are blowing this topic way out
of context, and seeing it everywhere is getting really old.

People should instead be working on the facts and
writing the various motherboard manufacturers to
ask them what their expected PK update model will be,
and to educate them if not. And to work at committing
it to their OS.

And yes, that includes Compal and Quanta and those
sorts of OEM laptop/embedded makers.

I'll send $100 to the FreeBSD foundation if those
retail board makers I listed don't give the option to
install/replace the PK. Nuff said.

ps: I don't really care what MS does with their own branded
products in the embedded/small space. Plenty of millionaires
out there now who are in tune with opensource who could startup,
buy the same ARM/ATOM/etc chips, the same support chips, load
Android and sell it to the masses. Lot's of overseas ODM's out there
for them to pick from too. Phones, tablets, notebooks, laptops...
it's all there. FreeBSD on your phone in 10 years.

More information about the freebsd-questions mailing list