Watch out for weeds below. If you don't want to get into the weeds, stay out of this email On Fri, Oct 26, 2012 at 1:06 AM, JtWdyP <jtwdyp@ttlc.net> wrote:
It would appear that on Oct 24, Greg Freemyer did say:
The keys themselves are public, but you as the hardware owner will have to approve keys being added to public key database and therefore ensure you are only adding public keys for entities you trust.
"trust"??? OK if I'm supposed to add keys based on trust, how to subtract Microsoft??? {snicker}
Actually I'm wondering about this:
These public keys are effectively embedded in the kernel code somehow right?
No, the private key is used to sign the kernel. That is sort of like creating a zip file, but using a compression algorithm that is unique to the private key. The matching public key is used to verify the matching private key did the signing. The public key is often very public. There are PGP public key servers where you can get lots of people's public PGP keys. The issue with them is if the public key server says its my key, how do you really know its mine and not a bad guy pretending to me and putting his own public key on the public key server. That's where circles of trust come from. (I know John, and John assures me that it's Tom's public key he gave me.)
Or would it be possible for knowledgeable PC owner, to create his own "trust" key set.
Yes, anyone can create key pairs typically. What costs money is to get a certified key pair. So if I create my own key pair, I can tell the world I'm Bill Gates, but it I want to get a key pair from Verisign saying I'm Bill Gates, then I have to prove to them I really am Bill Gates before they issue the certified key pair. (My wife used to be a issuer of certified key pairs. She required a passport etc. be FedEx'ed to her before she would do it. Then FedEx back out the key pair and the passport.)
And then use it to "sign" an existing, older, formerly unsigned kernel.
I assume you can do that, but I don't know if DOS will even run a signed kernel. Remember the kernel typically has to be pulled out of the signed container. Don't know how you would do that with 2012 and before operating systems. Thus it may be that openSUSE 12.2 and older will never run with UEFI Secure Boot systems. (We are beyond my knowledge at this point.)
Then as PC Owner, add that key... {You see where I'm going with this right?}
If the SUSE secure boot module is opensource (like I assume it is) then I'm sure a version to do what you propose would be easy to make. Then put it on a boot CD and your set. If there is value, then solutions like this will be easy to find I'm sure.
And if so, is there any reason that technique couldn't be used to install and run something like dos? {I have a couple of antique games you see}
I'm just not sure how that would actually work. You'd be better off I suspect to run those in a VM.
-- JtWdyP
Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org