Once, long ago--actually, on Sat, Jul 07, 2012 at 03:21:09PM +0200--Reindl
Harald ([email protected]) said:
> the whole "secure boot" idea is crap
Hmm...no, it's not. It's crap *as implemented*.
Want a not-crap implementation?
o Firmware ships with a non-MS form of UEFI.
o You install your OS-of-choice; at this point in time, you know it's
clean & safe.
o Run a utility to generate a key that gets installed in the UEFI
firmware. Preferably, this utility would know or be told what
components in the OS, drivers, etc. should be considered when
generating the key.
o Disable the UEFI update. Ideally, this would be an actual hardware
switch--something that CAN'T be suborned in software or firmware.
o Whenever you update your OS, drivers, or other components that are
considered by the UEFI boot, turn off the switch and re-run the keygen
utility.
From this point on, you're running "blessed" software, so Bad Guys(TM) will
be stopped as for the current UEFI. But the entire dance is in *your*
control, not any vendor.
But, of course, MS couldn't tolerate this.
--
Dave Ihnat
[email protected]
--
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
