> > The firmware already has this. > > Yes, now my mental cobwebs are getting cleaned out. I do recall reading > about this, a while ago. Much of it is there for network booting (PXE etc) and in fact a fair bit of it is there in the modern old style BIOS too. > > > > Before it boots the OS. > > > > Fine UEFI is a powerful enough base to be capable of supporting this. I > > don't know if anyone has implemented it, but you have a complete chain of > > keys to verify the request. > > Should be interesting to see how the great unwashed will accept waiting 2-3 > minutes for their PC to boot, while their firmware is trying to grab CRLs > over the network. I think firmware people are smarter than this. However there are a whole array of issues with BIOS and other firmware management. For example all those wireless cards that need firmware not in RPM format are completely outside of RPM package management if the firmware is updated to fix a security hole. In the USB case its probably not a big deal but in the PCI case a card with DMA and complex firmware could provide holes. That's also going to be fun if anyone tries to lock down Fedora. There are ways and means but it's pretty ugly trying to sign stuff you can't ship but users need to make their box work. > Should also be interesting to see what happens when you put it behind a > proxy that drops the packets on the floor. I'm not a great fan of the quality of firmware code but give then some credit 8). Alan -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
