Is this something we (as consumers of FreeBSD) need to be aware of?

Julian H. Stacey jhs at
Thu Jun 14 15:32:22 UTC 2012

> From:		"C. P. Ghost" <cpghost at> 
> Date:		Thu, 14 Jun 2012 09:51:46 +0200 
> Message-id:	<CADGWnjW2LnrtOiXFzWFk9btMaeJhmOTxdZ7ScymY=qGME_cBgg at> 

"C. P. Ghost" wrote:
> On Tue, Jun 5, 2012 at 8:19 PM, Kurt Buff <kurt.buff at> wrote:
> > UEFI considerations drive Fedora to pay MSFT to sign their kernel binaries
> >
> >
> > This would seem to make compiling from source difficult.
> >
> > Kurt
> I'm not sure I understand the issue, but this is my take on it
> so far:
> 1. What's preventing the makers of boot loaders like GRUB (which can
> also boot FreeBSD) from getting a certificate ONCE? And if they have
> one, what's preventing them from loading ANY kernel at all?

If you read Fedora's page they were planning to tighten their boot
sequence to then only boot their approved binary kernels.

Not that others ( eg us) would have to, presumably we could leave it wide open
	(aside of terms of purchase see discussion earlier in thread),
	(aside of risk of key revocation on some hardware manufacturers)

Risk of key revocation later 
	If hardware manufacturer ships new bios or uefi, or user
	upgrades to new UEFI (eg I as a user must upgrade a uefi
	soon as a laptop overheats).  + if MS get away with this
	intrusion, next they'll consider requiring a "Call Home"
	demon (that could also run on *UX, I guess they'd be pleased
	to provide source free of charge for that next stage
	entrapment ! ;-) that all PC users must run periodicaly,
	to update UEFI table with new revised list of authorised keys.

> It is only
> the first stage boot loader that needs to be signed, or not?
Far as I've read, yes.

I wasn't sure about AMD so I looked here:
		ONLY_FOR_ARCHS=         i386		(Re Grub 2)
		The current release is working on Intel/AMD PCs,
		OpenFirmware-based PowerPC machines (PowerMac and Pegasos),
		EFI-based PC (IntelMac) and coreboot (formerly, LinuxBIOS),
		and is being ported to UltraSparc.
> 2. What's preventing anyone of us in the EU from stepping up
> efforts with the EU Commission and the EU Parliament to stop
> Microsoft from monopolizing the ARM (and later x86) platforms,
> i.e. by becoming the only gatekeepers? After all, EU sovereign
> states and their economies can't depend on a US corporation
> having a global kill switch to their whole infrastructure. We're not
> just talking about Windows dominance here, but a lot more:
> dominance on the whole hardware segment. I'm pretty sure this
> scheme is highly anti-competitive, and I guess it runs afoul of a lot
> of already existing EU regulations.

I think we will need to contact the EU, hence assembling URLs first:

Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich
 Reply below not above, cumulative like a play script, & indent with "> ".
 Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
	Mail from @yahoo dumped @berklix.

More information about the freebsd-questions mailing list