UEFI Secure Boot
noeldude at gmail.com
Tue Jul 9 00:36:36 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 7/8/2013 6:28 PM, Teske, Devin wrote:
> On Jul 8, 2013, at 3:24 PM, Sergio de Almeida Lenzi wrote:
>> So the question:
>> Why or when will I need an secure UEFI boot???
> From what I've read of UEFI Secure boot, I've parceled out into
> (correct any nuggets I got wrong)
> 1. UEFI Secure boot is actually UEFI + Secure boot. You can
disable Secure boot and still have UEFI.
> 2. Windows 8 requires UEFI Secure boot to ... boot.
Not entirely correct. Microsoft licensing requires UEFI Secure boot
for PCs sold with preinstalled Win8 and the "Windows 8" logo.
Win8 itself boots and runs fine on legacy hardware without UEFI
(and often outperforms XP or Win7 on the same hardware).
But the real-world end result is the vast majority of future
computers will be sold with UEFI secure boot enabled as the default.
> 3. Any OS can work with UEFI Secure boot... you just have to sign
your drivers (which puts a burden on development, testing, etc.)
> 4. FreeBSD today can work on a machine if you disable UEFI
(implied disabling of Secure boot sub-feature)
> 5. FreeBSD could eventually support UEFI.
> 6. Don't know if we want to support secure-boot... but I think we
should. It's really up to how the end-user wants FreeBSD to
function. If they want FreeBSD to reject module-loads for
custom-compiled modules, secure boot seems to be a way to go. But
for me at least, I won't be enabling it (even if we support it).
However, I know customers that might think it's a great idea (think
financial institutions running FreeBSD on bare metal both as
workstations and servers).
> Now, I must admit, when the conversation of UEFI and Secure boot
starts turning toward involving M$, I get confused.
> To my understanding, it's a methodology to allow a customer to
secure his/her box against root-kit. The OS does this by
communicating with the UEFI framework the keys of modules to load.
That's between the BIOS and the OS (whatever OS you may be running).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the freebsd-questions