From owner-freebsd-questions@FreeBSD.ORG Mon Jul 8 23:28:29 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 190A37B7 for ; Mon, 8 Jul 2013 23:28:29 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id DDD281EEE for ; Mon, 8 Jul 2013 23:28:28 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.16]) by ltcfislmsgpa07.fnfis.com (8.14.5/8.14.5) with ESMTP id r68NSRmm014608 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 8 Jul 2013 18:28:28 -0500 Received: from LTCFISWMSGMB21.FNFIS.com ([10.132.99.23]) by LTCFISWMSGHT05.FNFIS.com ([10.132.206.16]) with mapi id 14.02.0309.002; Mon, 8 Jul 2013 18:28:27 -0500 From: "Teske, Devin" To: Sergio de Almeida Lenzi Subject: Re: UEFI Secure Boot Thread-Topic: UEFI Secure Boot Thread-Index: AQHOe/dJeGhRM0s/PkmACMnjnKyJoJlbr8AAgAAR0wA= Date: Mon, 8 Jul 2013 23:28:26 +0000 Message-ID: <13CA24D6AB415D428143D44749F57D7201FB74C7@ltcfiswmsgmb21> References: <1373322278.15315.38.camel@lenovo.lenzicasa> In-Reply-To: <1373322278.15315.38.camel@lenovo.lenzicasa> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.132.253.126] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-07-08_06:2013-07-08,2013-07-08,1970-01-01 signatures=0 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 23:28:29 -0000 On Jul 8, 2013, at 3:24 PM, Sergio de Almeida Lenzi wrote: [snip] >=20 > So the question:=20=20 > Why or when will I need an secure UEFI boot??? >=20 >From what I've read of UEFI Secure boot, I've parceled out into these nugge= ts: (correct any nuggets I got wrong) 1. UEFI Secure boot is actually UEFI + Secure boot. You can disable Secure = boot and still have UEFI. 2. Windows 8 requires UEFI Secure boot to ... boot. 3. Any OS can work with UEFI Secure boot... you just have to sign your driv= ers (which puts a burden on development, testing, etc.) 4. FreeBSD today can work on a machine if you disable UEFI (implied disabli= ng of Secure boot sub-feature) 5. FreeBSD could eventually support UEFI. 6. Don't know if we want to support secure-boot... but I think we should. I= t's really up to how the end-user wants FreeBSD to function. If they want F= reeBSD to reject module-loads for custom-compiled modules, secure boot seem= s to be a way to go. But for me at least, I won't be enabling it (even if w= e support it). However, I know customers that might think it's a great idea= (think financial institutions running FreeBSD on bare metal both as workst= ations and servers). Now, I must admit, when the conversation of UEFI and Secure boot starts tur= ning toward involving M$, I get confused. To my understanding, it's a methodology to allow a customer to secure his/h= er box against root-kit. The OS does this by communicating with the UEFI fr= amework the keys of modules to load. That's between the BIOS and the OS (wh= atever OS you may be running). --=20 Devin P.S. Again, correct me if I'm wrong on anything -- I'm still wrapping my he= ad around this stuff too. _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.