*countable infinities only

Jay Sulzberger jays at panix.com
Tue Jun 26 03:51:02 UTC 2012

On Mon, 25 Jun 2012, Peter Jones <pjones at redhat.com> wrote:

> On 06/25/2012 11:08 PM, Jay Sulzberger wrote:
>> Is there a hardware switch or jumper that can be set so that no
>> modification of the firmware is possible?  My question here is:
>> if I have gross physical possession of the hardware can I disable
>> firmware updates done just via code running on the x86/UEFI
>> chips?
> There's no real guarantee that any particular machine will have any physical
> switch, but that doesn't mean you can't just /not run/ the software that
> does the updates.
>> Will the UEFI be able to send and receive information over a
>> local network, say via Ethernet?  That is, without an old
>> fashioned "kernel" being booted.  By "old fashioned" I mean
>> something like the Linux kernel, which, I think runs, usually, in
>> a "space" different from the space where UEFI code runs?
> Some vendor's firmware could, in theory, do that. It's not part of the spec.
>>>> 3. If booting a standard style of kernel is required to revoke,
>>>> at the command of Hardware Key Central, signing keys, then the
>>>> standard kernel must be capable of receiving and interpreting
>>>> such commands,
>>> Well, the kernel wouldn't really be the responsible code here.  Most
>>> likely we'll make that a package update and use rpm %post scripts to
>>> apply changes.
>> I will attempt to think about this.
> I hope everything comes out okay.


>> I know that UEFI hardware is available.
>> Which hardware do you recommend, if I want to actually see the
>> UEFI and perhaps try it out?
> I'm really, *really* not in the business of recommending hardware. There
> are various sites on the internet that do that exclusively. One of them has
> probably figured out that they should be thinking about UEFI by now.
> --
>        Peter

Peter and Matthew, thanks again, for your time and effort given to
explain things.


More information about the devel mailing list