On 06/15/2012 12:24 AM, Arun Raghavan wrote:
> On 15 June 2012 10:26, Greg KH <email@example.com> wrote:
>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>>> On 15 June 2012 09:58, Greg KH <firstname.lastname@example.org> wrote:
>>>> So, anyone been thinking about this? I have, and it's not pretty.
>>>> Should I worry about this and how it affects Gentoo, or not worry about
>>>> Gentoo right now and just focus on the other issues?
>>> I think it at least makes sense to talk about it, and work out what we
>>> can and cannot do.
>>> I guess we're in an especially bad position since everybody builds
>>> their own bootloader. Is there /any/ viable solution that allows
>>> people to continue doing this short of distributing a first-stage
>>> bootloader blob?
>> Distributing a first-stage bootloader blob, that is signed by Microsoft,
>> or someone, seems to be the only way to easily handle this.
>> Although all BIOSes will have the option to turn secure boot off, I
>> think it is something that we might not want to require for Gentoo to
>> work properly on those machines.
>> Also, some people might really want to sign their own bootloader and
>> kernel, and kernel modules (myself included), so just getting that basic
>> infrastructure in place is going to take some work, no matter who ends
>> up signing the first-stage bootloader blob.
> I hadn't thought of that. I imagine the hardened team might be
> interested in making such infrastructure easily available as well.
>> Oh, and on the first-stage bootloader front, I already know of 2 simple,
>> and open source, examples that will work for Linux, so getting something
>> like that signed might not be very tough. It's the "where does the
>> chain-of-trust stop" question that gets tricky...
> For validating the chain of trust, it might be useful to make it
> possible for anyone to generate the same bootloader and verify the
> hashes themselves. For the truly paranoid maybe a signed stage3 +
> portage snapshot to generate the bootloader image from scratch.
>>>> Minor details like, "do we have a 'company' that can pay Microsoft to
>>>> sign our bootloader?" is one aspect from the non-technical side that I've
>>>> been wondering about.
>>> Sounds like something the Gentoo Foundation could do.
>> Can they do that? I haven't been paying attention to if we are really a
>> legal entity still or not, sorry.
> I believe so, but quantumsummers is likely the best person to confirm.
I've already taken a look at some of this, I think our best bet is to
figure out how to use efi_stub and simply sign the kernel itself (since
it can run directly from uefi now).
-- Matthew Thode (prometheanfire)