Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Florian Philipp <lists@×××××××××××.net>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 07:50:11
Message-Id: 4FDAE8ED.6080802@binarywings.net
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by "Michał Górny"
1 Am 15.06.2012 09:26, schrieb Michał Górny:
2 > On Thu, 14 Jun 2012 21:56:04 -0700
3 > Greg KH <gregkh@g.o> wrote:
4 >
5 >> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
6 >>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote:
7 >>>> So, anyone been thinking about this? I have, and it's not pretty.
8 >>>>
9 >>>> Should I worry about this and how it affects Gentoo, or not worry
10 >>>> about Gentoo right now and just focus on the other issues?
11 >>>
12 >>> I think it at least makes sense to talk about it, and work out what
13 >>> we can and cannot do.
14 >>>
15 >>> I guess we're in an especially bad position since everybody builds
16 >>> their own bootloader. Is there /any/ viable solution that allows
17 >>> people to continue doing this short of distributing a first-stage
18 >>> bootloader blob?
19 >>
20 >> Distributing a first-stage bootloader blob, that is signed by
21 >> Microsoft, or someone, seems to be the only way to easily handle this.
22 >
23 > Maybe we could get one such a blob for all distros/systems?
24 >
25
26 I guess nothing prevents you from re-distributing Fedora's blob.
27
28 > Also, does this signature system have any restrictions on what is
29 > signed and what is not? In other words, will they actually sign a blob
30 > saying 'work-around signatures' on the top?
31 >
32
33 They might sign it. I think it is just an automated process verified
34 with smartcards. The point is, they will also blacklist it as soon as
35 malware starts using it (or as soon as they are aware of the possibility).
36
37 It should also be noted that having a bootloader blob is not enough. You
38 have to do it like Fedora and sign the kernel and modules as well as
39 removing kernel features that could result in security breaches
40 (everything outlined in [1]). I don't see any reasonable way to do this
41 while allowing users to build their own kernel and third-party modules.
42
43 In the end, I think we'll need *-bin packages for everything running in
44 kernel-space.
45
46 [1] http://mjg59.dreamwidth.org/12368.html
47
48 Regards,
49 Florian Philipp

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] UEFI secure boot and Gentoo Richard Farina <sidhayn@×××××.com>
Re: [gentoo-dev] UEFI secure boot and Gentoo Greg KH <gregkh@g.o>
Report Message
Find on MARC Find on Google Groups