1 |
Am 15.06.2012 09:26, schrieb Michał Górny: |
2 |
> On Thu, 14 Jun 2012 21:56:04 -0700 |
3 |
> Greg KH <gregkh@g.o> wrote: |
4 |
> |
5 |
>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
6 |
>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
7 |
>>>> So, anyone been thinking about this? I have, and it's not pretty. |
8 |
>>>> |
9 |
>>>> Should I worry about this and how it affects Gentoo, or not worry |
10 |
>>>> about Gentoo right now and just focus on the other issues? |
11 |
>>> |
12 |
>>> I think it at least makes sense to talk about it, and work out what |
13 |
>>> we can and cannot do. |
14 |
>>> |
15 |
>>> I guess we're in an especially bad position since everybody builds |
16 |
>>> their own bootloader. Is there /any/ viable solution that allows |
17 |
>>> people to continue doing this short of distributing a first-stage |
18 |
>>> bootloader blob? |
19 |
>> |
20 |
>> Distributing a first-stage bootloader blob, that is signed by |
21 |
>> Microsoft, or someone, seems to be the only way to easily handle this. |
22 |
> |
23 |
> Maybe we could get one such a blob for all distros/systems? |
24 |
> |
25 |
|
26 |
I guess nothing prevents you from re-distributing Fedora's blob. |
27 |
|
28 |
> Also, does this signature system have any restrictions on what is |
29 |
> signed and what is not? In other words, will they actually sign a blob |
30 |
> saying 'work-around signatures' on the top? |
31 |
> |
32 |
|
33 |
They might sign it. I think it is just an automated process verified |
34 |
with smartcards. The point is, they will also blacklist it as soon as |
35 |
malware starts using it (or as soon as they are aware of the possibility). |
36 |
|
37 |
It should also be noted that having a bootloader blob is not enough. You |
38 |
have to do it like Fedora and sign the kernel and modules as well as |
39 |
removing kernel features that could result in security breaches |
40 |
(everything outlined in [1]). I don't see any reasonable way to do this |
41 |
while allowing users to build their own kernel and third-party modules. |
42 |
|
43 |
In the end, I think we'll need *-bin packages for everything running in |
44 |
kernel-space. |
45 |
|
46 |
[1] http://mjg59.dreamwidth.org/12368.html |
47 |
|
48 |
Regards, |
49 |
Florian Philipp |