On 06/02/2012 04:43 PM, Alan Cox wrote:
The firmware already has this.
Yes, now my mental cobwebs are getting cleaned out. I do recall reading
about this, a while ago.
Much of it is there for network booting (PXE etc) and in fact a fair bit
of it is there in the modern old style BIOS too.
Before it boots the OS.
Fine UEFI is a powerful enough base to be capable of supporting this. I
don't know if anyone has implemented it, but you have a complete chain of
keys to verify the request.
Should be interesting to see how the great unwashed will accept waiting 2-3
minutes for their PC to boot, while their firmware is trying to grab CRLs
over the network.
I think firmware people are smarter than this. However there are a whole
array of issues with BIOS and other firmware management. For example all
those wireless cards that need firmware not in RPM format are completely
outside of RPM package management if the firmware is updated to fix a
security hole. In the USB case its probably not a big deal but in the PCI
case a card with DMA and complex firmware could provide holes.
That's also going to be fun if anyone tries to lock down Fedora. There
are ways and means but it's pretty ugly trying to sign stuff you can't
ship but users need to make their box work.
Should also be interesting to see what happens when you put it behind a
proxy that drops the packets on the floor.
I'm not a great fan of the quality of firmware code but give then some
credit 8).
Alan
Mark's law of corporate governance:
Whatever they do, they will do it to you, not for you.
--
_
°v°
/(_)\
^ ^ Mark LaPierre
Registerd Linux user No #267004
www.counter.li.org
****
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
