Secure boot and PC-BSD - PC-BSD Forums

thnewguy · #1 07-27-2012, 12:12 AM

Over in the Linux community there has been a good deal of talk lately about the upcoming secure boot feature. Red Hat and Canonical have announced plans for dealing with the new technology and I'm curious if PC-BSD/FreeBSD/iXsystems have any plans for addressing secure boot?

I don't want to get into a discussion on whether the feature is good or bad, I'm just curious as to whether FreeBSD/PC-BSD will be supporting machines with secure boot enabled?

fluca1978 · #2 07-27-2012, 09:53 AM

Originally Posted by thnewguy

I don't want to get into a discussion on whether the feature is good or bad, I'm just curious as to whether FreeBSD/PC-BSD will be supporting machines with secure boot enabled?

As far as I understand there is nothing to do at the OS side except to be able to store a key for the loader, so that it will be enabled by UEFI ELAM component. So there not should be a lot of work for other OSs.
Anyway, I suspect this question is better suited for a freebsd forum.

kmoore134 · #3 07-27-2012, 01:35 PM

It's come up in several meetings here, so we are well aware of it.

Right now FreeBSD has a google summer of code project to create a EFI
boot-loader:

http://wiki.freebsd.org/SummerOfCode2012/IntelEFIBoot

Once that finishes stabilizing, then I'll be doing some work on the
installer portion to make it "just work" out of box.

As for the secure keys thing, that is a bigger deal, since potentially
it makes us unable to dual-boot with windows 8. The issue is that if we
make changes do our boot-loader, or compile it from source (as we do),
then we would have to re-sign it each time to make it bootable. This
means you have to have our signature loaded somewhere in your EFI bios,
which may be a pain to do. The alternative is to disable secure-boot,
but then Windows 8 may refuse to start

thnewguy · #4 07-27-2012, 03:42 PM

Thanks, Kris.
As I understand it, this means the big hurdle won't be supporting secure boot, but getting the proper public keys onto the user's machine. Either the user will have to manually enter the key (which may be a slightly different process on each model of PC) or they will have to have to disable secure boot and cross their fingers.

David30 · #5 07-27-2012, 05:42 PM

I have seen other posts online about this subject and there seems to be only one solution: complain to the European Commission about it. The EC won't allow Microsoft to abuse its monopoly power.

thnewguy · #6 07-27-2012, 08:32 PM

That might be a viable long term solution for people living in Europe, but it won't help the rest of the world. I think we need to see practical solutions for the immediate future. Urging OEMs to allow secure boot to be disabled is one step, implimenting secure boot for FreeBSD also seems like a good thing. After all, the secure boot concept in itself isn't bad as long as it can be turned off and new keys can be installed.

Nukama · #7 07-29-2012, 10:35 AM

Only buy new hardware that supports coreboot, and demand hardware with open firmware.

Vote with your money!

David30 · #8 07-29-2012, 11:32 AM

Originally Posted by thnewguy

That might be a viable long term solution for people living in Europe, but it won't help the rest of the world.

It's Microsoft who are urging for this "secure boot" and making it impossible to turn off the secure boot on ARM-based computers.

Based on Microsoft's track record of abusing its monopoly, the EC would show the rest of the world that changes can be made for the benefit of end users who don't want to get locked into Microsoft's products with no other choice.

Read more on the Wikipedia page - I've linked directly to the section about secure boot: click here

fluca1978 · #9 07-30-2012, 05:47 AM

http://www.fsf.org/campaigns/secure-...boot/statement

David30 · #10 08-16-2012, 07:46 PM

PC-BSD, Canonical, FreeBSD, Linux - and many other "big" names behind the free OS's could complain to the "right" people in different countries, starting with the European Commission, explaining the technical reasons why Microsoft's secure boot requirement would make it impossible for users to use other operating systems.

I find it disgusting that Microsoft makes so much money selling [bad words] and don't put nowhere near as much effort into making their OS secure and reliable, compared to PC-BSD. I know a lot of hard work and effort goes into making PC-BSD and FreeBSD, in order to provide users a free and reliable OS. I never take this for granted.

I would love to see the US, European and other governments stop Microsoft from making Windows-only computers and see Microsoft punished heavily for this monopolistic practise!