| 1 |
Am 15.06.2012 10:06, schrieb Richard Farina: |
| 2 |
> On 06/15/2012 03:49 AM, Florian Philipp wrote: |
| 3 |
>> Am 15.06.2012 09:26, schrieb Michał Górny: |
| 4 |
>>> On Thu, 14 Jun 2012 21:56:04 -0700 |
| 5 |
>>> Greg KH <gregkh@g.o> wrote: |
| 6 |
>>> |
| 7 |
>>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
| 8 |
>>>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
| 9 |
>>>>>> So, anyone been thinking about this? I have, and it's not pretty. |
| 10 |
>>>>>> |
| 11 |
>>>>>> Should I worry about this and how it affects Gentoo, or not worry |
| 12 |
>>>>>> about Gentoo right now and just focus on the other issues? |
| 13 |
>>>>> |
| 14 |
>>>>> I think it at least makes sense to talk about it, and work out what |
| 15 |
>>>>> we can and cannot do. |
| 16 |
>>>>> |
| 17 |
>>>>> I guess we're in an especially bad position since everybody builds |
| 18 |
>>>>> their own bootloader. Is there /any/ viable solution that allows |
| 19 |
>>>>> people to continue doing this short of distributing a first-stage |
| 20 |
>>>>> bootloader blob? |
| 21 |
>>>> |
| 22 |
>>>> Distributing a first-stage bootloader blob, that is signed by |
| 23 |
>>>> Microsoft, or someone, seems to be the only way to easily handle this. |
| 24 |
>>> |
| 25 |
>>> Maybe we could get one such a blob for all distros/systems? |
| 26 |
>>> |
| 27 |
> |
| 28 |
>> I guess nothing prevents you from re-distributing Fedora's blob. |
| 29 |
> |
| 30 |
>>> Also, does this signature system have any restrictions on what is |
| 31 |
>>> signed and what is not? In other words, will they actually sign a blob |
| 32 |
>>> saying 'work-around signatures' on the top? |
| 33 |
>>> |
| 34 |
> |
| 35 |
>> They might sign it. I think it is just an automated process verified |
| 36 |
>> with smartcards. The point is, they will also blacklist it as soon as |
| 37 |
>> malware starts using it (or as soon as they are aware of the possibility). |
| 38 |
> |
| 39 |
>> It should also be noted that having a bootloader blob is not enough. You |
| 40 |
>> have to do it like Fedora and sign the kernel and modules as well as |
| 41 |
>> removing kernel features that could result in security breaches |
| 42 |
>> (everything outlined in [1]). I don't see any reasonable way to do this |
| 43 |
>> while allowing users to build their own kernel and third-party modules. |
| 44 |
> |
| 45 |
>> In the end, I think we'll need *-bin packages for everything running in |
| 46 |
>> kernel-space. |
| 47 |
> |
| 48 |
> Being all about choice I have to agree that as long as we have both bin |
| 49 |
> and normal kernels there is nothing wrong with that. However, dear god, |
| 50 |
> with how many kernels we have won't this get really expensive really |
| 51 |
> fast? Even just signing gentoo-sources and hardened-sources would cost |
| 52 |
> a fortune considering both change weekly if not daily. So that puts us |
| 53 |
> to signing just stable releases and damn users who want secure boot and |
| 54 |
> a recent kernel or need a custom patch? This all seems like a huge step |
| 55 |
> in the wrong direction to me, at the very least the amount of effort for |
| 56 |
> this is near insurmountable in my eyes. |
| 57 |
> |
| 58 |
> -Zero |
| 59 |
> |
| 60 |
> |
| 61 |
>> [1] http://mjg59.dreamwidth.org/12368.html |
| 62 |
> |
| 63 |
>> Regards, |
| 64 |
>> Florian Philipp |
| 65 |
> |
| 66 |
|
| 67 |
No, it won't be expensive. Please read the link in my message on how |
| 68 |
Fedora do it: |
| 69 |
|
| 70 |
1. You pay 99$ *once* as a registration fee. After that, you can sign as |
| 71 |
much as you want. |
| 72 |
|
| 73 |
2. In order to avoid the hassle of the actual authentication process for |
| 74 |
signing code, Fedora simply signs a stage-1 boot loader which then |
| 75 |
verifies all further stages against a custom Fedora key. This key also |
| 76 |
has to be secure but it means they can use their own, automated tool |
| 77 |
chain for signing kernel and grub builds. |
| 78 |
|
| 79 |
Regards, |
| 80 |
Florian Philipp |
Archives