UEFI Secure Boot Specs - And some sanity
C. P. Ghost
cpghost at cordula.ws
Fri Jun 15 00:23:30 UTC 2012
On Sat, Jun 9, 2012 at 12:17 AM, grarpamp <grarpamp at gmail.com> wrote:
> I did say "effectively". If people would actually read that chapter
> in the spec (minimally 27.5) they would find that they can:
> - Load a new PK without asking if in default SetupMode
> - If not in SetupMode, chainload a new PK provided it is
> signed by the current PK.
> - Clear the PK in a 'secure platform specific method'.
Only if they fully follow the spec. This is rather unlikely.
Even today, there are still many broken DMI/SMBIOS
tables out there that contain barely enough stuff for
Windows to boot successfully. What makes you think
UEFI BIOS makers will go all the trouble to implement
such a complex spec, if all they have to do is to ensure
compliance with MS requirements?
I wouldn't count on an option or switch to override this
Technically, we may very well have to replace the BIOS,
or even the BIOS chip itself (that'll be fun if it is physically
mounted on the board!), and replace it with a chip flashed
with a free BIOS.
And by then, the corps who are responsible for this UEFI
mess will have made it illegal to
1. tinker with your own hardware, as it would be DRM circumvention
2. implement a free UEFI BIOS as it would violate some UEFI patents.
Basically, we may end up in a situation where running FreeBSD
on a modified motherboard could be outright illegal. Which is
exactly the point, isn't it?
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions