Gentoo Archives: gentoo-dev

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 21:29:53
Message-Id: 4FDBA90B.5070502@gentoo.org
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by Arun Raghavan
On 06/15/2012 12:24 AM, Arun Raghavan wrote:
> On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote: >> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: >>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: >>>> So, anyone been thinking about this? I have, and it's not pretty. >>>> >>>> Should I worry about this and how it affects Gentoo, or not worry about >>>> Gentoo right now and just focus on the other issues? >>> >>> I think it at least makes sense to talk about it, and work out what we >>> can and cannot do. >>> >>> I guess we're in an especially bad position since everybody builds >>> their own bootloader. Is there /any/ viable solution that allows >>> people to continue doing this short of distributing a first-stage >>> bootloader blob? >> >> Distributing a first-stage bootloader blob, that is signed by Microsoft, >> or someone, seems to be the only way to easily handle this. >> >> Although all BIOSes will have the option to turn secure boot off, I >> think it is something that we might not want to require for Gentoo to >> work properly on those machines. >> >> Also, some people might really want to sign their own bootloader and >> kernel, and kernel modules (myself included), so just getting that basic >> infrastructure in place is going to take some work, no matter who ends >> up signing the first-stage bootloader blob. > > I hadn't thought of that. I imagine the hardened team might be > interested in making such infrastructure easily available as well. > >> Oh, and on the first-stage bootloader front, I already know of 2 simple, >> and open source, examples that will work for Linux, so getting something >> like that signed might not be very tough. It's the "where does the >> chain-of-trust stop" question that gets tricky... > > For validating the chain of trust, it might be useful to make it > possible for anyone to generate the same bootloader and verify the > hashes themselves. For the truly paranoid maybe a signed stage3 + > portage snapshot to generate the bootloader image from scratch. > >>>> Minor details like, "do we have a 'company' that can pay Microsoft to >>>> sign our bootloader?" is one aspect from the non-technical side that I've >>>> been wondering about. >>> >>> Sounds like something the Gentoo Foundation could do. >> >> Can they do that? I haven't been paying attention to if we are really a >> legal entity still or not, sorry. > > I believe so, but quantumsummers is likely the best person to confirm. >
I've already taken a look at some of this, I think our best bet is to figure out how to use efi_stub and simply sign the kernel itself (since it can run directly from uefi now). -- -- Matthew Thode (prometheanfire)

Attachments

File name MIME type
signature.asc application/pgp-signature