On Sat, 7 Jul 2012 09:34:21 -0500 Dave Ihnat <dihnat@xxxxxxxxxx> wrote: > Once, long ago--actually, on Sat, Jul 07, 2012 at 03:21:09PM > +0200--Reindl Harald (h.reindl@xxxxxxxxxxxxx) said: > > the whole "secure boot" idea is crap > > Hmm...no, it's not. It's crap *as implemented*. > > Want a not-crap implementation? > > o Firmware ships with a non-MS form of UEFI. windows 8 client certified hardware will allow you to remove the MS key. > o You install your OS-of-choice; at this point in time, you know > it's clean & safe. > > o Run a utility to generate a key that gets installed in the UEFI > firmware. Preferably, this utility would know or be told what > components in the OS, drivers, etc. should be considered when > generating the key. Fedora plans to make all the infrastructure to create and enroll your own keys available and usable for end users. So, you can create your own key, sign the bootloader and grub2 and kernel with it. > > o Disable the UEFI update. Ideally, this would be an actual > hardware switch--something that CAN'T be suborned in software or > firmware. No idea if this is possible. > o Whenever you update your OS, drivers, or other components that are > considered by the UEFI boot, turn off the switch and re-run the > keygen utility. > > From this point on, you're running "blessed" software, so Bad > Guys(TM) will be stopped as for the current UEFI. But the entire > dance is in *your* control, not any vendor. > > But, of course, MS couldn't tolerate this. Sure they do. You should be able to do this with Fedora if the current plans all work out as expected. Most users probibly won't bother, but the plan is to have all this available for those that do want to. kevin
Attachment:
signature.asc
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org