On 6/6/12 1:19 PM, Daniel Feenberg wrote: > > > On Wed, 6 Jun 2012, Matthew Seaman wrote: > >> On 05/06/2012 23:10, Jerry wrote: >>> I thought this URL <http://mjg59.dreamwidth.org/12368.html> also shown >>> above, answered that question. >> >> Signing bootloaders and kernels etc. seems superficially like a good >> idea to me. However, instant reaction is that this is definitely *not* >> something that Microsoft should be in charge of. Some neutral[*] body > ... >> On deeper thought though, the whole idea appears completely unworkable. >> It means that you will not be able to compile your own kernel or >> drivers unless you have access to a signing key. As building your own > > You don't need the signing key if you turn off secure boot in the CMOS. > The fedora folk are worried that naive desktop users will not be able to > do that, and usage of linux will be impeded. It won't be a significant > impediment to users capable of compiling their own kernel. > >> is pretty fundamental to the FreeBSD project, the logical consequence is >> that FreeBSD source should come with a signing key for anyone to use. >> >> Which completely abrogates the whole point of signing >> bootloaders/kernels in the first place: anyone wishing to create malware >> would be able to sign whatever they want using such a key. It's >> DRM-level stupidity all over again. > > I do wonder about that. What incentive does the possesor of a signing > key have to keep it secret? Apple keeps it's signing key secret because > it gets a share of revenue from the sale of apps. If the fedora key > became known it wouldn't hurt fedora. Can the UEFI BIOS consult a list > of revoked keys online? That would be surprising. > > dan feenberg
Key revoked in the BIOS' next version, which will ship by default on newer hardware. No need for checking online. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
