Thank you for this. I didn't realize that a simple (somewhat technical) question asked in all innocence would generate so much flammage.
Kurt On Wed, Jun 6, 2012 at 1:13 PM, grarpamp <grarp...@gmail.com> wrote: > Isn't there a lot of needless handwaving going on when the spec is > pretty clear that installing your own complete PKI tree will all > boil down to what is effectively a jumper on the motherboard? > > > First, some sanity... > > Users could fully utilize the UEFI Secure Boot hardware by say: > > - Using openssl to generate their keys > - Jumper the board, burn it into the BIOS in UEFI SB SetupMode > - Have all the MBR, slice, partition, installkernel, etc tools > install and manage the signed disk/loader/kernel/module bits > - Have the BIOS check sigs on whatever first comes off the media > > I don't see that the user will actually NOT be able to do this on > anything but 'designed for windows only' ARM systems. Seeing how > open Android/Linux is firmly in that space, this will just devalue > the non open windows product. > > There have been 25 years of generic mass produced motherboards. > And 25 years of open source OS commits to utilize them. > That is not changing anytime soon. Non generic attempts fail. > > Even corporate kings Dell and HP know they would be foolish to sell > motherboards that will not allow their buyers to swap out the PK > keys... because they know their buyers run more than just windows > and that they need various security models. > > And if they really were that dumb, there's Gigabyte, Asus, Msi, > Supermicro, Biostar, etc who will not be so dumb and will soak up > all the remaining sales gravy. > > The masses have seen and now want openness, open systems, sharing. > The old models are but speed bumps on their own way out the door. > > Though it seems a non issue to me, if you want to protest, protest > for 'Setup Mode'. And not here on this list, but to the hardware > makers. > > We should want to use this PKI in our systems. Not disable it. Not > pay $100 to terminate the PKI chain early. Not pay $100 to lock us > into unmodifiable releases (aka: BSD corporate version). > > I look forward to seeing the UEFI SB PK SetupMode AMD and Intel > generic motherboard list :) > > > On to facts... > > http://www.uefi.org/ > Spec Chapter 27 Secure Boot, SetupMode, PK, Shell, etc > > https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface > https://en.wikipedia.org/wiki/Unified_EFI_Forum > http://ozlabs.org/docs/uefi-secure-boot-impact-on-linux.pdf > https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot > http://mjg59.dreamwidth.org/12368.html > http://mjg59.livejournal.com/ > https://www.tianocore.org/ > http://www.avrfreaks.net/index.php?name=PNphpBB2&file=viewtopic&p=962584 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
