Need more info: UEFI Secure Boot in Fedora

[William Brown]

> 
> No - this is insufficient. The kernel must also be locked down, check
> every module, disallow iopl3() [ie some X features], disallow ioperm for
> most ports, prevent any user even root from loading their own kernel
> modules etc.

The kernel is locked down and will implement signed checks of modules.
For the purpose of this example, I just neglected to show this as I was
explaining why the MS signed first stage loader was needed.

> 
> It's of course all a bit of a joke because it's then a simple matter of
> using virtualisation to fake the "secure" environment and running the
> "secure" OS in that 8)
> 
>> No. I would assume the Fedora project pays the $99, and then distrubtes
>> the signed bootloader component, with the fedora keys built in.
> 
> I don't believe that would be compliant with the Fedora Project
> definitions of freedom.

Fedora would still be Free. Users are not paying the $99. There would
still be ways to "disable" this signature checking, as indicated in
MJG's post if you want to have unsigned modules running on your system.
It's sadly the choice that must be made between "pushing for idealism"
and "pushing for usability". I think in this case, usability has won out.

-- 
Sincerely,

William Brown

pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 945 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120531/adef7240/attachment.sig>