On Wed, 6 Jun 2012, Matthew Seaman wrote:
On 05/06/2012 23:10, Jerry wrote:
I thought this URL <http://mjg59.dreamwidth.org/12368.html> also shown
above, answered that question.
Signing bootloaders and kernels etc. seems superficially like a good
idea to me. However, instant reaction is that this is definitely *not*
something that Microsoft should be in charge of. Some neutral[*] body
...
On deeper thought though, the whole idea appears completely unworkable.
It means that you will not be able to compile your own kernel or
drivers unless you have access to a signing key. As building your own
You don't need the signing key if you turn off secure boot in the CMOS.
The fedora folk are worried that naive desktop users will not be able to
do that, and usage of linux will be impeded. It won't be a significant
impediment to users capable of compiling their own kernel.
is pretty fundamental to the FreeBSD project, the logical consequence is
that FreeBSD source should come with a signing key for anyone to use.
Which completely abrogates the whole point of signing
bootloaders/kernels in the first place: anyone wishing to create malware
would be able to sign whatever they want using such a key. It's
DRM-level stupidity all over again.
I do wonder about that. What incentive does the possesor of a signing key
have to keep it secret? Apple keeps it's signing key secret because it
gets a share of revenue from the sale of apps. If the fedora key became
known it wouldn't hurt fedora. Can the UEFI BIOS consult a list of revoked
keys online? That would be surprising.
dan feenberg
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
