On 09/09/2015 11:49 AM, Bill Paul wrote: [...] > Oh sure, no pressure. > > As you say, the closed source nature of most BIOSes makes complying with these > requirements nearly impossible for most organizations. The only exceptions I > can think of are big companies with connections to the IBVs (e.g. Intel, > Microsoft) or the government/military. Something tells me none of them will in > any rush to talk to you though. :)
Thanks. I think the answer is: 147's "golden master" -- and any firmware PKI trust validation with CRL/OSCP URLs (eg, UEFI Secure Boot)--- is only achievable with full source coreboot and U-Boot, which has the ability to locally build your firmware from full source (binary-only libs don't count), and then use tools to update the system's firmware. With UEFI, it is only achievable with fully-open source firmware, which isn't an option for most most enterprises, or with most ISAs (eg, Intel FSP blobs). ARM/AMD may be able to build with full-source firmware, maybe. Maybe Intel will start licensing FSP sources to F500 sysadmins to aid in defense?! :-) I just spend an hour searching online for a single enterprise whitepaper adopting UEFI and 147 lifecycle, and all I found was this 2013 article, still mostly vague concepts: http://www.sans.org/reading-room/whitepapers/basics/implementing-pc-hardware-configuration-bios-baseline-34370 If I missed anything else, please speak up. Thanks. _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel