On Sat, 7 Jul 2012 09:34:21 -0500
Dave Ihnat <dihnat(a)dminet.com> wrote:
Once, long ago--actually, on Sat, Jul 07, 2012 at 03:21:09PM
+0200--Reindl Harald (h.reindl(a)thelounge.net) said:
> the whole "secure boot" idea is crap
Hmm...no, it's not. It's crap *as implemented*.
Want a not-crap implementation?
o Firmware ships with a non-MS form of UEFI.
windows 8 client certified hardware will allow you to remove the MS
key.
o You install your OS-of-choice; at this point in time, you know
it's clean & safe.
o Run a utility to generate a key that gets installed in the UEFI
firmware. Preferably, this utility would know or be told what
components in the OS, drivers, etc. should be considered when
generating the key.
Fedora plans to make all the infrastructure to create and enroll your
own keys available and usable for end users.
So, you can create your own key, sign the bootloader and grub2 and
kernel with it.
o Disable the UEFI update. Ideally, this would be an actual
hardware switch--something that CAN'T be suborned in software or
firmware.
No idea if this is possible.
o Whenever you update your OS, drivers, or other components that
are
considered by the UEFI boot, turn off the switch and re-run the
keygen utility.
From this point on, you're running "blessed" software, so Bad
Guys(TM) will be stopped as for the current UEFI. But the entire
dance is in *your* control, not any vendor.
But, of course, MS couldn't tolerate this.
Sure they do. You should be able to do this with Fedora if the current
plans all work out as expected. Most users probibly won't bother, but
the plan is to have all this available for those that do want to.
kevin