Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Arun Raghavan <ford_prefect@g.o>
Subject: Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 10:54:11 +0530
On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote:
> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote:
>> > So, anyone been thinking about this?  I have, and it's not pretty.
>> >
>> > Should I worry about this and how it affects Gentoo, or not worry about
>> > Gentoo right now and just focus on the other issues?
>>
>> I think it at least makes sense to talk about it, and work out what we
>> can and cannot do.
>>
>> I guess we're in an especially bad position since everybody builds
>> their own bootloader. Is there /any/ viable solution that allows
>> people to continue doing this short of distributing a first-stage
>> bootloader blob?
>
> Distributing a first-stage bootloader blob, that is signed by Microsoft,
> or someone, seems to be the only way to easily handle this.
>
> Although all BIOSes will have the option to turn secure boot off, I
> think it is something that we might not want to require for Gentoo to
> work properly on those machines.
>
> Also, some people might really want to sign their own bootloader and
> kernel, and kernel modules (myself included), so just getting that basic
> infrastructure in place is going to take some work, no matter who ends
> up signing the first-stage bootloader blob.

I hadn't thought of that. I imagine the hardened team might be
interested in making such infrastructure easily available as well.

> Oh, and on the first-stage bootloader front, I already know of 2 simple,
> and open source, examples that will work for Linux, so getting something
> like that signed might not be very tough.  It's the "where does the
> chain-of-trust stop" question that gets tricky...

For validating the chain of trust, it might be useful to make it
possible for anyone to generate the same bootloader and verify the
hashes themselves. For the truly paranoid maybe a signed stage3 +
portage snapshot to generate the bootloader image from scratch.

>> > Minor details like, "do we have a 'company' that can pay Microsoft to
>> > sign our bootloader?" is one aspect from the non-technical side that I've
>> > been wondering about.
>>
>> Sounds like something the Gentoo Foundation could do.
>
> Can they do that?  I haven't been paying attention to if we are really a
> legal entity still or not, sorry.

I believe so, but quantumsummers is likely the best person to confirm.

-- 
Arun Raghavan
http://arunraghavan.net/
(Ford_Prefect | Gentoo) & (arunsr | GNOME)


Replies:
Re: UEFI secure boot and Gentoo
-- Matthew Thode
References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Arun Raghavan
Re: UEFI secure boot and Gentoo
-- Greg KH
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: UEFI secure boot and Gentoo
Previous by date:
Re: UEFI secure boot and Gentoo
Next by date:
Re: UEFI secure boot and Gentoo


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.