Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 08:45:57 -0400
On Fri, Jun 15, 2012 at 8:22 AM, Luca Barbato <lu_zero@g.o> wrote:
> If we want to try to get serious on 5, we could try to gather the
> hardened/security people across distributions and setup the whole chain
> to be parallel and cut deals with OEM to store this trust-chain keys
> along with MS.

Perhaps.  Since we're only talking about the kernel really and that
doesn't vary as much across distros, we might even be able to get
momentum for it.

You could create a standard "secure kernel" - probably as a patch set
initially but perhaps merged into mainline with a config option that
turns on key verification for loading modules.  Anybody could use that
to secure their own systems by using their own key in the
configuration.  The central body could prepare and sign binaries for
individual distros.  A distro would supply a kernel config file and
patch set and identifier for the upstream kernel to build against.
The central body would audit the patches and config for security,
build the kernel, and sign it, assessing a fee perhaps (likely cheap
for config-only, and expensive for extensive patches).  The costs need
not be all that high - if you assume that vanilla linux with the
config option turned on is good enough then you only have to check
that the option is set, blacklist "bad" settings, and verify patches.
They could revoke certs when security issues are found, by keeping a
history of what configs/versions got signed.

Users could load the signing key of this body into their custom
settings, or OEMs could be persuaded to include it.  The latter would
never be 100% effective unless a court ordered it.

Rich


References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Rich Freeman
Re: UEFI secure boot and Gentoo
-- Luca Barbato
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: UEFI secure boot and Gentoo
Previous by date:
Re: ebuild laziness and binpkg overhead
Next by date:
Re: UEFI secure boot and Gentoo


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.