On Fri, Jun 15, 2012 at 12:28 AM, Greg KH <firstname.lastname@example.org> wrote:
> Should I worry about this and how it affects Gentoo, or not worry about
> Gentoo right now and just focus on the other issues?
> Minor details like, "do we have a 'company' that can pay Microsoft to
> sign our bootloader?" is one aspect from the non-technical side that I've
> been wondering about.
So, there are 22 posts already, so I'm going to try to cover a bunch
of topics in one post. I've been thinking about this a fair bit.
1. Speaking as an individual trustee... The Gentoo Foundation
legally speaks for Gentoo, can sign contracts, and can write checks.
I don't really forsee any legal issues should we decide we want to
pursue any kinds of relationships with MS or other entities associated
with UEFI. Obviously any decision to actually pursue this would not
be taken lightly.
2. From what I've heard the cost of getting a key that would be
recognized by UEFI firmware is as low as a $99 one-time payment, and
we pay many times that for stuff like trademark registration,
corporate filing fees, not to mention hardware for infrastructure.
Cost is likely a non-issue.
3. Freedom IS a big issue - my sense is that getting support from the
powers that be for UEFI comes with a lot of strings. If we had a key
the easiest solution would be to just write a signed GRUB stage1 that
works exactly like the one we're all using, and it would load whatever
you want, linux or windows or Stuxnet or otherwise. Once Malware
writers start embedding our bootloader in their stuff I assume that
the people issuing the keys will have the ability to revoke it (at
least for new hardware).
4. Fedora is getting around #3 by making the whole thing a big
trusted infrastructure - signature chains for all the kernel-space
code. That meshes well with their whole /usr move initiative - you
just have this big blog of stuff that you trust and never touch, and
you can be sure you're running genuine RedHat goodness, just like all
those iPhone users out there. :)
5. If somebody (perhaps under the umbrella of hardened) wanted to
create a Gentoo project around a fully trusted Gentoo I'd be
completely supportive of that. It would take work. In the spirit of
Gentoo we should allow anybody to build their own signed with their
own key, and perhaps we might have an official Gentoo-certified one
that we would sign and the Foundation would obtain the necessary UEFI
keys. However, that should be viewed as more of a service, and not a
core offering - Gentoo will never depend on a piece of non-free
software or metadata (and I'd probably lump a signing key into that
category). The same tools (minus the private keys) used to generate
any secure offering made by Gentoo should be available for users to
use and sign their own systems.
6. At least on x86 users can either disable secure boot, or load
their own signing keys. We should try to support both. While the
full secure infrastructure of #5 will undoubtedly be a significant
effort we could at least have the handbook have a section on how to
sign your grub when building it and install it in a way that it can be
used to boot (installing the keys themselves might be
firmware-dependent, but to the extent that standards exist we can be
7. In general anybody who would be a happy Gentoo user should have no
issues with signing their own bootloader, or disabling secure boot.
8. I think the bigger issue is with ARM, and I'm not personally clear
on what the exact policy is there. That really strikes me as
antitrust, but MS might argue that on ARM they have no monopoly
(instead we have a bunch of different vendors who almost universally
lock down their hardware). I can't really see how any solution that
didn't give the end-user the ability to run arbitrary code on their
machine could be called "Gentoo" so our ability to distribute signed
bootloaders there is going to be limited. Maybe we create the ability
to sign your own as with x86, and make the users pay the $99 for their
own keys. As long as individual users don't distribute their
"insecure" bootloaders they shouldn't be at risk of getting them
Well, that's a lot, but those are my impressions. In short I see this
as more of a speed-bump for x86, but a much more fundamental problem
for ARM. Personally I never buy a general-purpose computing device
like a PC or smartphone unless I know in advance that I can gain full
control over it. Hopefully that option will remain open to me a lot
I'd be personally interested in pointers to info on what the "powers
that be" do and don't allow with UEFI. I've seen lots of
sky-is-falling blog entries and discussion but little in the way of
specs, and more importantly, policies.