Red Hat Will Pay Microsoft To Get Past UEFI Restrictions

[Alan Cox]

> > The firmware already has this.
> 
> Yes, now my mental cobwebs are getting cleaned out. I do recall reading  
> about this, a while ago.

Much of it is there for network booting (PXE etc) and in fact a fair bit
of it is there in the modern old style BIOS too.

> 
> > > Before it boots the OS.
> >
> > Fine UEFI is a powerful enough base to be capable of supporting this. I
> > don't know if anyone has implemented it, but you have a complete chain of
> > keys to verify the request.
> 
> Should be interesting to see how the great unwashed will accept waiting 2-3  
> minutes for their PC to boot, while their firmware is trying to grab CRLs  
> over the network.

I think firmware people are smarter than this. However there are a whole
array of issues with BIOS and other firmware management. For example all
those wireless cards that need firmware not in RPM format are completely
outside of RPM package management if the firmware is updated to fix a
security hole. In the USB case its probably not a big deal but in the PCI
case a card with DMA and complex firmware could provide holes.

That's also going to be fun if anyone tries to lock down Fedora. There
are ways and means but it's pretty ugly trying to sign stuff you can't
ship but users need to make their box work.

> Should also be interesting to see what happens when you put it behind a  
> proxy that drops the packets on the floor.

I'm not a great fan of the quality of firmware code but give then some
credit 8).

Alan