*countable infinities only

Peter Jones pjones at redhat.com
Tue Jun 12 18:09:45 UTC 2012

On 06/12/2012 01:11 PM, Gregory Maxwell wrote:
> On Tue, Jun 12, 2012 at 12:25 PM, Adam Williamson <awilliam at redhat.com> wrote:
>> You are, and that was being very un-excellent, so please refrain from it
>> in future.
> I'm left wondering where your concern about being excellent to each
> other has been hiding throughout this thread, and where it was when
> you made the "Your Majesty" comment to Jay Sulzberger moments after
> this post.
>> It is never a good idea to assume malice where you can't prove it.
> This sounds like a guilty conscience speaking to me. I never claimed
> any malice.  I apologize if my message sounded as though I were.
> Let me make this more clear:  People in this thread have been saying
> that instructions can't be created because the hardware is not
> available to the public yet.  However, the people working this stuff
> actually do have access to UEFI secureboot hardware. I presumed this
> was under NDA, because none of them were stepping up to say "no,
> actually I do have the hardware".

I have development hardware. I can't tell you from whom, or give you
much specific information about what they plan to ship, because it is
under NDA. I can tell you that the firmware UI changes radically with
every firmware revision in recent months. As recently as January the
interface on one vendor's firmware was this:

Clear PK (OSV Only): [ ]

(Hopefully nobody will ship anything like this...)

I keep on telling you this and you keep on not believing me.

> The idea that the firmware is complete enough to build and test the
> cryptographic lockdown but not complete enough to make write
> instructions against simply didn't occur to me.   And with that
> thought in mind I think it's even more sad that the Fedora community
> isn't focusing primarily on making instructions _now_ while there may
> still be an opportunity to encourage making those yet unwritten
> interfaces easy and consistent.

Well, it's too bad that it didn't occur to you, but it is the case.
Test machines generally have come in setup mode (i.e. no keys) by default,
so we've mostly been developing using keys we've generated ourselves,
without using any UI whatsoever in the firmware.  On some versions the UI
I mentioned above didn't actually /work/, so we've used hardware flash
tools combined with non-production jumpers to start over.

Instructions based on the methodology I've been using so far aren't going
to do anybody a bit of good, because they're not necessarily even going
to be /possible/ on production hardware.

Call it sad if you like, but that's the reality of the situation.


More information about the devel mailing list