Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Maxim Kammerer <mk@...>
Subject: Re: UEFI secure boot and Gentoo
Date: Sat, 16 Jun 2012 12:22:24 +0300
On Fri, Jun 15, 2012 at 3:01 PM, Rich Freeman <rich0@g.o> wrote:
> I think that anybody that really cares about security should be
> running in custom mode anyway, and should just re-sign anything they
> want to run.  Custom mode lets you clear every single key in the
> system from the vendor on down, and gives you the ability to ensure
> the system only boots stuff you want it to.

I have several questions, that hopefully someone familiar with UEFI
Secure Boot is able to answer. If I understand UEFI correctly, the
user will need to not just re-sign bootloaders, but also the
OS-neutral drivers (e.g., UEFI GOP), which are hardware-specific, and
will be probably signed with Microsoft keys, since the hardware vendor
would otherwise need to implement expensive key security measures — is
that correct? If the user does not perform this procedure (due to its
complexity and/or lack of tools automating the process), is it
possible for an externally connected device to compromise the system
by supplying a Microsoft-signed blob directly to the UEFI firmware,
circumventing the (Linux) OS? Is it possible to develop an automatic
re-signing tool — i.e., does the API support all needed features
(listing / extracting drivers, revoking keys, adding keys, etc.)?

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte


References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Arun Raghavan
Re: UEFI secure boot and Gentoo
-- Ben de Groot
Re: UEFI secure boot and Gentoo
-- Arun Raghavan
Re: UEFI secure boot and Gentoo
-- Ben de Groot
Re: UEFI secure boot and Gentoo
-- Richard Farina
Re: UEFI secure boot and Gentoo
-- Florian Philipp
Re: UEFI secure boot and Gentoo
-- Rich Freeman
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: UEFI secure boot and Gentoo
Previous by date:
Re: Packages up for grabs due cla retirement
Next by date:
Packages up for grabs due wormo taking care of bug wrangling only


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.