Alan Cox writes:
> Yes, but for that, the firmware will either need support from the OS it > secure-boots, to go out on the network, check for revocations, and upload > them into firmware; or the firmware itself must implement a bare-bones > network stack, initialize the onboard NIC, obtain a DHCP address, or load a > static IP config, then check for CRLs. The firmware already has this.
Yes, now my mental cobwebs are getting cleaned out. I do recall reading about this, a while ago.
> Before it boots the OS. Fine UEFI is a powerful enough base to be capable of supporting this. I don't know if anyone has implemented it, but you have a complete chain of keys to verify the request.
Should be interesting to see how the great unwashed will accept waiting 2-3 minutes for their PC to boot, while their firmware is trying to grab CRLs over the network.
Should also be interesting to see what happens when you put it behind a proxy that drops the packets on the floor.
That's going to be a barrel of laughs: a runaway backhoe digs up a fiber cable a few thousand miles away, and all the PCs now, in the building, refuse to boot.
Attachment:
pgplC3ZZ5SBsL.pgp
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
