Gentoo Archives: gentoo-dev

From: Greg KH <gregkh@g.o>
To: "Michał Górny" <mgorny@g.o>
Cc: gentoo-dev@l.g.o, gregkh@g.o, lists@×××××××××××.net
Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 17:58:06
Message-Id: 20120617175642.GB3721@kroah.com
In Reply to: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo by "Michał Górny"
1 On Sun, Jun 17, 2012 at 07:06:16PM +0200, Michał Górny wrote:
2 > On Sun, 17 Jun 2012 09:55:35 -0700
3 > Greg KH <gregkh@g.o> wrote:
4 >
5 > > On Sun, Jun 17, 2012 at 05:51:04PM +0200, Michał Górny wrote:
6 > > > 2. What happens if, say, your bootloader is compromised?
7 > >
8 > > And how would this happen? Your bootloader would not run.
9 >
10 > Yes. I'm asking what happens next. Is there an easy way to replace it?
11
12 I do not know, you need to test this on a UEFI secure boot system to see
13 what happens.
14
15 > Or is your computer bricked until you run some other bootloader to
16 > replace the compromised one?
17
18 Probably.
19
20 > > > 3. What happens if the machine signing the blobs is compromised?
21 > >
22 > > So, who's watching the watchers, right? Come on, this is getting
23 > > looney.
24 >
25 > I'm just pointing out that this simply relies on trusting people. Much
26 > like not having those signatures.
27
28 Of course, this is life, and should not be anything "new" to you or
29 anyone else.
30
31 And before you get upset, do you trust the "people" who implemented the
32 firmware in your processor and I/O controllers? This argument is not
33 one that is worth discussing.
34
35 greg k-h