Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Rich Freeman <rich0@g.o>
Subject: Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 06:14:12 -0400
On Fri, Jun 15, 2012 at 12:28 AM, Greg KH <gregkh@g.o> wrote:
> Should I worry about this and how it affects Gentoo, or not worry about
> Gentoo right now and just focus on the other issues?
>
> Minor details like, "do we have a 'company' that can pay Microsoft to
> sign our bootloader?" is one aspect from the non-technical side that I've
> been wondering about.

So, there are 22 posts already, so I'm going to try to cover a bunch
of topics in one post.  I've been thinking about this a fair bit.

1.  Speaking as an individual trustee...  The Gentoo Foundation
legally speaks for Gentoo, can sign contracts, and can write checks.
I don't really forsee any legal issues should we decide we want to
pursue any kinds of relationships with MS or other entities associated
with UEFI.  Obviously any decision to actually pursue this would not
be taken lightly.

2.  From what I've heard the cost of getting a key that would be
recognized by UEFI firmware is as low as a $99 one-time payment, and
we pay many times that for stuff like trademark registration,
corporate filing fees, not to mention hardware for infrastructure.
Cost is likely a non-issue.

3.  Freedom IS a big issue - my sense is that getting support from the
powers that be for UEFI comes with a lot of strings.  If we had a key
the easiest solution would be to just write a signed GRUB stage1 that
works exactly like the one we're all using, and it would load whatever
you want, linux or windows or Stuxnet or otherwise.  Once Malware
writers start embedding our bootloader in their stuff I assume that
the people issuing the keys will have the ability to revoke it (at
least for new hardware).

4.  Fedora is getting around #3 by making the whole thing a big
trusted infrastructure - signature chains for all the kernel-space
code.  That meshes well with their whole /usr move initiative - you
just have this big blog of stuff that you trust and never touch, and
you can be sure you're running genuine RedHat goodness, just like all
those iPhone users out there.  :)

5.  If somebody (perhaps under the umbrella of hardened) wanted to
create a Gentoo project around a fully trusted Gentoo I'd be
completely supportive of that.  It would take work.  In the spirit of
Gentoo we should allow anybody to build their own signed with their
own key, and perhaps we might have an official Gentoo-certified one
that we would sign and the Foundation would obtain the necessary UEFI
keys.  However, that should be viewed as more of a service, and not a
core offering - Gentoo will never depend on a piece of non-free
software or metadata (and I'd probably lump a signing key into that
category).  The same tools (minus the private keys) used to generate
any secure offering made by Gentoo should be available for users to
use and sign their own systems.

6.  At least on x86 users can either disable secure boot, or load
their own signing keys.  We should try to support both.  While the
full secure infrastructure of #5 will undoubtedly be a significant
effort we could at least have the handbook have a section on how to
sign your grub when building it and install it in a way that it can be
used to boot (installing the keys themselves might be
firmware-dependent, but to the extent that standards exist we can be
helpful).

7.  In general anybody who would be a happy Gentoo user should have no
issues with signing their own bootloader, or disabling secure boot.

8.  I think the bigger issue is with ARM, and I'm not personally clear
on what the exact policy is there.  That really strikes me as
antitrust, but MS might argue that on ARM they have no monopoly
(instead we have a bunch of different vendors who almost universally
lock down their hardware).  I can't really see how any solution that
didn't give the end-user the ability to run arbitrary code on their
machine could be called "Gentoo" so our ability to distribute signed
bootloaders there is going to be limited.  Maybe we create the ability
to sign your own as with x86, and make the users pay the $99 for their
own keys.  As long as individual users don't distribute their
"insecure" bootloaders they shouldn't be at risk of getting them
revoked.

Well, that's a lot, but those are my impressions.  In short I see this
as more of a speed-bump for x86, but a much more fundamental problem
for ARM.  Personally I never buy a general-purpose computing device
like a PC or smartphone unless I know in advance that I can gain full
control over it.  Hopefully that option will remain open to me a lot
longer.

I'd be personally interested in pointers to info on what the "powers
that be" do and don't allow with UEFI.  I've seen lots of
sky-is-falling blog entries and discussion but little in the way of
specs, and more importantly, policies.

Rich


Replies:
Re: UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- G.Wolfe Woodbury
Re: UEFI secure boot and Gentoo
-- Luca Barbato
Re: UEFI secure boot and Gentoo
-- Florian Philipp
References:
UEFI secure boot and Gentoo
-- Greg KH
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: UEFI secure boot and Gentoo
Previous by date:
Re: RFC: new global useflag libass
Next by date:
Re: UEFI secure boot and Gentoo


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.