| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 06/15/2012 03:49 AM, Florian Philipp wrote: |
| 5 |
> Am 15.06.2012 09:26, schrieb Michał Górny: |
| 6 |
>> On Thu, 14 Jun 2012 21:56:04 -0700 |
| 7 |
>> Greg KH <gregkh@g.o> wrote: |
| 8 |
>> |
| 9 |
>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
| 10 |
>>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
| 11 |
>>>>> So, anyone been thinking about this? I have, and it's not pretty. |
| 12 |
>>>>> |
| 13 |
>>>>> Should I worry about this and how it affects Gentoo, or not worry |
| 14 |
>>>>> about Gentoo right now and just focus on the other issues? |
| 15 |
>>>> |
| 16 |
>>>> I think it at least makes sense to talk about it, and work out what |
| 17 |
>>>> we can and cannot do. |
| 18 |
>>>> |
| 19 |
>>>> I guess we're in an especially bad position since everybody builds |
| 20 |
>>>> their own bootloader. Is there /any/ viable solution that allows |
| 21 |
>>>> people to continue doing this short of distributing a first-stage |
| 22 |
>>>> bootloader blob? |
| 23 |
>>> |
| 24 |
>>> Distributing a first-stage bootloader blob, that is signed by |
| 25 |
>>> Microsoft, or someone, seems to be the only way to easily handle this. |
| 26 |
>> |
| 27 |
>> Maybe we could get one such a blob for all distros/systems? |
| 28 |
>> |
| 29 |
> |
| 30 |
> I guess nothing prevents you from re-distributing Fedora's blob. |
| 31 |
> |
| 32 |
>> Also, does this signature system have any restrictions on what is |
| 33 |
>> signed and what is not? In other words, will they actually sign a blob |
| 34 |
>> saying 'work-around signatures' on the top? |
| 35 |
>> |
| 36 |
> |
| 37 |
> They might sign it. I think it is just an automated process verified |
| 38 |
> with smartcards. The point is, they will also blacklist it as soon as |
| 39 |
> malware starts using it (or as soon as they are aware of the possibility). |
| 40 |
> |
| 41 |
> It should also be noted that having a bootloader blob is not enough. You |
| 42 |
> have to do it like Fedora and sign the kernel and modules as well as |
| 43 |
> removing kernel features that could result in security breaches |
| 44 |
> (everything outlined in [1]). I don't see any reasonable way to do this |
| 45 |
> while allowing users to build their own kernel and third-party modules. |
| 46 |
> |
| 47 |
> In the end, I think we'll need *-bin packages for everything running in |
| 48 |
> kernel-space. |
| 49 |
|
| 50 |
Being all about choice I have to agree that as long as we have both bin |
| 51 |
and normal kernels there is nothing wrong with that. However, dear god, |
| 52 |
with how many kernels we have won't this get really expensive really |
| 53 |
fast? Even just signing gentoo-sources and hardened-sources would cost |
| 54 |
a fortune considering both change weekly if not daily. So that puts us |
| 55 |
to signing just stable releases and damn users who want secure boot and |
| 56 |
a recent kernel or need a custom patch? This all seems like a huge step |
| 57 |
in the wrong direction to me, at the very least the amount of effort for |
| 58 |
this is near insurmountable in my eyes. |
| 59 |
|
| 60 |
- -Zero |
| 61 |
|
| 62 |
> |
| 63 |
> [1] http://mjg59.dreamwidth.org/12368.html |
| 64 |
> |
| 65 |
> Regards, |
| 66 |
> Florian Philipp |
| 67 |
> |
| 68 |
|
| 69 |
-----BEGIN PGP SIGNATURE----- |
| 70 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 71 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 72 |
|
| 73 |
iQIcBAEBAgAGBQJP2u0hAAoJEKXdFCfdEflKtPMP/3qpZ5klkvOnOfMm3anccpEm |
| 74 |
Zlo8T28+VwEjqt8m0hq/fWNteu4PbvzagD/jFLXym/OEW3w0XDFC8HI/JzbRVicT |
| 75 |
GAiv3s1zHV0yX/MzIeuSqDG+KnXJhuGige52Nxy2dyC8Ryq0kwOX90rHu2wXU8Z/ |
| 76 |
RQPuJgxf2Z34qBVNsZKHcH7caxcCUhHK+JmYwIE+hd4Y7vw1YjM49PAxLIQnhRvN |
| 77 |
lEQJt8lhyHzOzI7eScbQEtWRlGBRL/mtIoEkJa3iQb84hO9yfgAmxW512kZ4u5ZJ |
| 78 |
x8NVXaBPx6KmwdCugrryYNKMVSAUCvt08f2mPGOS2tyF3eFVcfUL3ZAzaN0Fdl+q |
| 79 |
0nTgkq5LW0wwLB9woujuxrz949SL+g/JTH2clKZVQdwCX5w4Bt7KCeqKg6+eRhsB |
| 80 |
+9JoBZ9RYbmLQF5S+gjOuo/71Zds1IKtZIOcWp1jOdktph7udcCEvwJeQbAkK5jP |
| 81 |
rqT0jEhsTOy1RPIDBTXwLsV6/urKNCwit4nsoD+ZGHZ2GXL+OunheXJDFgfrGevD |
| 82 |
5ownuPxa6WwLLtCd7S+6SgkcC65jamycs44IjKhoQXtsZUYOj6uBhlVIQymLFVsU |
| 83 |
r/ZeiOAilxiSP9QwTtZAohsninXQwIGxPbhwTrGp765uzalQoWzoz/Bop3IXdMgU |
| 84 |
jvY5FSvLQ9Da7RKrxC5W |
| 85 |
=XcZB |
| 86 |
-----END PGP SIGNATURE----- |
Archives