On 06/25/2012 11:08 PM, Jay Sulzberger wrote:
Is there a hardware switch or jumper that can be set so that no
modification of the firmware is possible? My question here is:
if I have gross physical possession of the hardware can I disable
firmware updates done just via code running on the x86/UEFI
chips?
There's no real guarantee that any particular machine will have any physical
switch, but that doesn't mean you can't just /not run/ the software that
does the updates.
Will the UEFI be able to send and receive information over a
local network, say via Ethernet? That is, without an old
fashioned "kernel" being booted. By "old fashioned" I mean
something like the Linux kernel, which, I think runs, usually, in
a "space" different from the space where UEFI code runs?
Some vendor's firmware could, in theory, do that. It's not part of the spec.
3. If booting a standard style of kernel is required to revoke,
at the command of Hardware Key Central, signing keys, then the
standard kernel must be capable of receiving and interpreting
such commands,
Well, the kernel wouldn't really be the responsible code here. Most
likely we'll make that a package update and use rpm %post scripts to
apply changes.
I will attempt to think about this.
I hope everything comes out okay.
I know that UEFI hardware is available.
Which hardware do you recommend, if I want to actually see the
UEFI and perhaps try it out?
I'm really, *really* not in the business of recommending hardware. There
are various sites on the internet that do that exclusively. One of them has
probably figured out that they should be thinking about UEFI by now.
--
Peter
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
