Trusted Boot in Fedora

Chris Adams cmadams at hiwaay.net
Sat Jun 25 16:52:18 UTC 2011


Once upon a time, Camilo Mesias <camilo at mesias.co.uk> said:
> In a sense, part of it isn't under user control. There is a secret in
> there, held against the user, and possibly known by the manufacturer
> or other third parties. There is also a black box of code that could
> do anything.

You already have that; it is called System Management Mode.

> I'm not really that paranoid but it is worth considering
> the worst case, just as a theoretical possibility. What if the device
> became standard by virtue of being bundled with every consumer
> device... what if it became crucial to system operation somehow...

Fedora supporting or not supporting it will have zero impact on that
outcome happening or not happening.

> Already there are systems that have whitelisted hardware (eg. wireless
> cards in netbooks) and the BIOS polices the presence of the right
> device. If you make unauthorised modifications to the BIOS, you can
> install any compatible wireless card (or WWAN device). BUT if the BIOS
> was signed and loaded by a trusted method, this option would not be
> available.

All of that is pre-kernel, so either can or cannot happen no matter what
Fedora does.  None of that has any bearing on the technical discussion
about whether Fedora should or should not include this functionality in
the installer.

I think there is some misunderstanding about what the discussion is
supposed to be about.  The supporting open source code is already in
Fedora.  The feature request is simply to modify grubby/anaconda to set
up the boot entries to include the support by default (or when the
hardware is found).
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


More information about the devel mailing list