On 10/23/2017 05:47 AM, Arnt Gulbrandsen wrote:
kato...@freaknet.org writes:
And what if you want to use your own unsigned bootloader? Why should
you ask someone else the permission to boot your own machine? o_O
Because I want deny people with physical access the ability to boot
unsigned bootloaders.
I think we can make a distinction here between owner controlled devices
[1] with a fully open source firmware that implements the code signing
mechanism that you desire and install such as grub's kernel signing
features vs one that is controlled by the vendor/OEM instead of you.
[1](ex: talos 2, kcma-d8/kgpe-d16)
I am both the owner of my hardware
No you aren't.
Intel ME + "Secure" boot non-owner controlled firmware code signing
enforcement (probably hardware enforced via boot guard, so one couldn't
even spend the thousands to have it removed via a coreboot platform port)
If you can't execute whatever you please on all the processors then it
isn't yours.
I imagine "secure" boot v3.0 will have MS no longer signing linux
bootloaders at all (unless you buy an expensive "business" PC).
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng