Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 08:33:44 -0400
On Fri, Jun 15, 2012 at 8:18 AM, Luca Barbato <lu_zero@g.o> wrote:
> On 06/15/2012 06:57 AM, Chí-Thanh Christopher Nguyễn wrote:
>> If you have influence on UEFI secure boot spec, you could suggest that
>> they mandate a UI which lists all boot images known to the EFI boot
>> manager, and the user can easily whitelist both individual loaders and
>> the keys used to sign them.
>>
>
> That would be a good compromise.
>

Agreed, though MS is likely to be sensitive about how this is done.
One of their requirements:
System.Fundamentals.Firmware.UEFISecureBoot / 14:
Mandatory. No in-line mechanism is provided whereby a user can bypass
Secure Boot failures and boot anyway Signature verification override
during boot when Secure Boot is enabled is not allowed. A physically
present user override is not permitted for UEFI images that fail
signature verification during boot. If a user wants to boot an image
that does not pass signature verification, they must explicitly
disable Secure Boot on the target system.

Sounds like they want to make getting around signature issues a fairly
technical exercise.  This of course raises the barrier to loading
another OS, though to be fair the "Stuxnet wants to access your boot
sector - hit OK to allow or Cancel to not display the cute video your
friend sent you" options that are typical these days hasn't really
been very effective in keeping out malware.

Rich


References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Chí-Thanh Christopher Nguyễn
Re: UEFI secure boot and Gentoo
-- Luca Barbato
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: UEFI secure boot and Gentoo
Previous by date:
Re: Re: UEFI secure boot and Gentoo
Next by date:
Re: ebuild laziness and binpkg overhead


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.