Grub(2). This is signed by the fedora keys. It checks the signature
of
the kernel against the fedora keys.
|
v
Kernel
No - this is insufficient. The kernel must also be locked down, check
every module, disallow iopl3() [ie some X features], disallow ioperm for
most ports, prevent any user even root from loading their own kernel
modules etc.
It's of course all a bit of a joke because it's then a simple matter of
using virtualisation to fake the "secure" environment and running the
"secure" OS in that 8)
No. I would assume the Fedora project pays the $99, and then
distrubtes
the signed bootloader component, with the fedora keys built in.
I don't believe that would be compliant with the Fedora Project
definitions of freedom.
Alan