>> Isn't there a lot of needless handwaving going on when the spec is >> pretty clear that installing your own complete PKI tree will all >> boil down to what is effectively a jumper on the motherboard?
> Hoping a jumper Might be under an easily unscrewable panel seems unlikely. I did say "effectively". If people would actually read that chapter in the spec (minimally 27.5) they would find that they can: - Load a new PK without asking if in default SetupMode - If not in SetupMode, chainload a new PK provided it is signed by the current PK. - Clear the PK in a 'secure platform specific method'. There's nothing that says PK SetupMode has to be a jumper. Entering the equivalent of good old pre-boot BIOS setup mode would work so long as the OS can't get to it without the request being signed by the current PK. The point of Secure Boot is firmware checked protection against software access... not physical access protection. The spec speaks liberally of 'platform owner' being able to do whatever they want. More handwaving about EULA's and branding aside, that means US. I seriously think that people are blowing this topic way out of context, and seeing it everywhere is getting really old. People should instead be working on the facts and writing the various motherboard manufacturers to ask them what their expected PK update model will be, and to educate them if not. And to work at committing it to their OS. And yes, that includes Compal and Quanta and those sorts of OEM laptop/embedded makers. I'll send $100 to the FreeBSD foundation if those retail board makers I listed don't give the option to install/replace the PK. Nuff said. ps: I don't really care what MS does with their own branded products in the embedded/small space. Plenty of millionaires out there now who are in tune with opensource who could startup, buy the same ARM/ATOM/etc chips, the same support chips, load Android and sell it to the masses. Lot's of overseas ODM's out there for them to pick from too. Phones, tablets, notebooks, laptops... it's all there. FreeBSD on your phone in 10 years. _______________________________________________ freebsd-hardware@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hardware To unsubscribe, send any mail to "freebsd-hardware-unsubscr...@freebsd.org"