On 04/01/13 02:54, David Hubbard wrote:
I personally use Gentoo Linux which means my kernels are compiled right on my own box. Secure Boot will never work for that (specifically, getting each kernel signed for each user would never scale).
Enrol your own key. Sign your own kernel. Seems to scale linearly per user to me.
Security is not free. There will always be a cost.
Andrew
Hi Andrew,
On Fri, Jan 4, 2013 at 5:09 PM, Andrew Goodbody ajg4tadpole@gmail.comwrote:
Enrol your own key. Sign your own kernel. Seems to scale linearly per user to me.
Security is not free. There will always be a cost.
I am actually quite conflicted because I try to look out for the underdog in every fight. Right now that would be you (no offense intended). Please view my comments as directed at Microsoft and the standard they have pushed onto us. And thanks for debating.
"Security is not free"
I think the Linux kernel is a glaring hole in that argument. The Linux kernel is *free*, by many definitions. Oh, and it is the *right* way to implement security.
Secure Boot is neither libre nor gratis. For $99 you can have a closed DRM solution. All DRM solutions are fundamentally flawed because both lock *and* key must be present on the machine. The only thing DRM has consistently done is inconvenience the average person.
"Enrol (sic) your own key. Sign your own kernel."
For $99 I could get my kernel signed by Verisign. That does not scale. That was my point, thanks.
To attempt to convince all the OEM's to sign their UEFI drivers with my key would be impossible; furthermore, the UEFI spec only has *one* slot for signatures on OEM UEFI drivers.
The whole bring-your-own-key argument is a red herring as soon as a third-party driver is involved, because the driver must then be trusted without verifying its signature. You wouldn't accept that kind of security compromise, would you?
I know I won't. I'll ditch Secure Boot entirely and use coreboot.
Regards, David