> > No - this is insufficient. The kernel must also be locked down, check > every module, disallow iopl3() [ie some X features], disallow ioperm for > most ports, prevent any user even root from loading their own kernel > modules etc. The kernel is locked down and will implement signed checks of modules. For the purpose of this example, I just neglected to show this as I was explaining why the MS signed first stage loader was needed. > > It's of course all a bit of a joke because it's then a simple matter of > using virtualisation to fake the "secure" environment and running the > "secure" OS in that 8) > >> No. I would assume the Fedora project pays the $99, and then distrubtes >> the signed bootloader component, with the fedora keys built in. > > I don't believe that would be compliant with the Fedora Project > definitions of freedom. Fedora would still be Free. Users are not paying the $99. There would still be ways to "disable" this signature checking, as indicated in MJG's post if you want to have unsigned modules running on your system. It's sadly the choice that must be made between "pushing for idealism" and "pushing for usability". I think in this case, usability has won out. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
