Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: lists@×××××××××××.net
Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 15:51:51
Message-Id: 20120617175104.055e62e8@pomiocik.lan
In Reply to: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo by Florian Philipp
1 On Sun, 17 Jun 2012 11:20:38 +0200
2 Florian Philipp <lists@×××××××××××.net> wrote:
3
4 > Am 16.06.2012 19:51, schrieb Michał Górny:
5 > > On Fri, 15 Jun 2012 09:54:12 +0200
6 > > Florian Philipp <lists@×××××××××××.net> wrote:
7 > >
8 > >> Am 15.06.2012 06:50, schrieb Duncan:
9 > >>> Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted:
10 > >>>
11 > >>>> So, anyone been thinking about this? I have, and it's not
12 > >>>> pretty.
13 > >>>>
14 > >>>> Should I worry about this and how it affects Gentoo, or not worry
15 > >>>> about Gentoo right now and just focus on the other issues?
16 > >>>>
17 > >>>> Minor details like, "do we have a 'company' that can pay
18 > >>>> Microsoft to sign our bootloader?" is one aspect from the
19 > >>>> non-technical side that I've been wondering about.
20 > >>>
21 > >>> I've been following developments and wondering a bit about this
22 > >>> myself.
23 > >>>
24 > >>> I had concluded that at least for x86/amd64, where MS is mandating
25 > >>> a user controlled disable-signed-checking option, gentoo shouldn't
26 > >>> have a problem. Other than updating the handbook to accommodate
27 > >>> UEFI, presumably along with the grub2 stabilization, I believe
28 > >>> we're fine as if a user can't figure out how to disable that
29 > >>> option on their (x86/amd64) platform, they're hardly likely to be
30 > >>> a good match for gentoo in any case.
31 > >>>
32 > >>
33 > >> As a user, I'd still like to have the chance of using Secure Boot
34 > >> with Gentoo since it _really_ increases security. Even if it means
35 > >> I can no longer build my own kernel.
36 > >
37 > > It doesn't. It's just a very long wooden fence; you just didn't find
38 > > the hole yet.
39 > >
40 >
41 > Oh come on! That's FUD and you know it. If not, did you even look at
42 > the specs and working principle?
43
44 Could you answer the following question:
45
46 1. How does it increase security?
47 2. What happens if, say, your bootloader is compromised?
48 3. What happens if the machine signing the blobs is compromised?
49
50 --
51 Best regards,
52 Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] Re: UEFI secure boot and Gentoo Greg KH <gregkh@g.o>
Re: [gentoo-dev] Re: UEFI secure boot and Gentoo Matthew Finkel <matthew.finkel@×××××.com>