UEFI Secure Boot

[Teske, Devin]

On Jul 8, 2013, at 3:24 PM, Sergio de Almeida Lenzi wrote:

[snip]

> 
> So the question:  
> Why  or when will I need an secure UEFI boot???
> 

>From what I've read of UEFI Secure boot, I've parceled out into these nuggets:

(correct any nuggets I got wrong)

1. UEFI Secure boot is actually UEFI + Secure boot. You can disable Secure boot and still have UEFI.

2. Windows 8 requires UEFI Secure boot to ... boot.

3. Any OS can work with UEFI Secure boot... you just have to sign your drivers (which puts a burden on development, testing, etc.)

4. FreeBSD today can work on a machine if you disable UEFI (implied disabling of Secure boot sub-feature)

5. FreeBSD could eventually support UEFI.

6. Don't know if we want to support secure-boot... but I think we should. It's really up to how the end-user wants FreeBSD to function. If they want FreeBSD to reject module-loads for custom-compiled modules, secure boot seems to be a way to go. But for me at least, I won't be enabling it (even if we support it). However, I know customers that might think it's a great idea (think financial institutions running FreeBSD on bare metal both as workstations and servers).

Now, I must admit, when the conversation of UEFI and Secure boot starts turning toward involving M$, I get confused.

To my understanding, it's a methodology to allow a customer to secure his/her box against root-kit. The OS does this by communicating with the UEFI framework the keys of modules to load. That's between the BIOS and the OS (whatever OS you may be running).
-- 
Devin

P.S. Again, correct me if I'm wrong on anything -- I'm still wrapping my head around this stuff too.

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.