Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Matthew Thode <prometheanfire@g.o>
Subject: Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 16:28:43 -0500
On 06/15/2012 12:24 AM, Arun Raghavan wrote:
> On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote:
>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote:
>>>> So, anyone been thinking about this?  I have, and it's not pretty.
>>>>
>>>> Should I worry about this and how it affects Gentoo, or not worry about
>>>> Gentoo right now and just focus on the other issues?
>>>
>>> I think it at least makes sense to talk about it, and work out what we
>>> can and cannot do.
>>>
>>> I guess we're in an especially bad position since everybody builds
>>> their own bootloader. Is there /any/ viable solution that allows
>>> people to continue doing this short of distributing a first-stage
>>> bootloader blob?
>>
>> Distributing a first-stage bootloader blob, that is signed by Microsoft,
>> or someone, seems to be the only way to easily handle this.
>>
>> Although all BIOSes will have the option to turn secure boot off, I
>> think it is something that we might not want to require for Gentoo to
>> work properly on those machines.
>>
>> Also, some people might really want to sign their own bootloader and
>> kernel, and kernel modules (myself included), so just getting that basic
>> infrastructure in place is going to take some work, no matter who ends
>> up signing the first-stage bootloader blob.
> 
> I hadn't thought of that. I imagine the hardened team might be
> interested in making such infrastructure easily available as well.
> 
>> Oh, and on the first-stage bootloader front, I already know of 2 simple,
>> and open source, examples that will work for Linux, so getting something
>> like that signed might not be very tough.  It's the "where does the
>> chain-of-trust stop" question that gets tricky...
> 
> For validating the chain of trust, it might be useful to make it
> possible for anyone to generate the same bootloader and verify the
> hashes themselves. For the truly paranoid maybe a signed stage3 +
> portage snapshot to generate the bootloader image from scratch.
> 
>>>> Minor details like, "do we have a 'company' that can pay Microsoft to
>>>> sign our bootloader?" is one aspect from the non-technical side that I've
>>>> been wondering about.
>>>
>>> Sounds like something the Gentoo Foundation could do.
>>
>> Can they do that?  I haven't been paying attention to if we are really a
>> legal entity still or not, sorry.
> 
> I believe so, but quantumsummers is likely the best person to confirm.
> 
I've already taken a look at some of this, I think our best bet is to
figure out how to use efi_stub and simply sign the kernel itself (since
it can run directly from uefi now).

-- 
-- Matthew Thode (prometheanfire)



Attachment:
signature.asc (OpenPGP digital signature)
References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Arun Raghavan
Re: UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Arun Raghavan
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: UEFI secure boot and Gentoo
Previous by date:
Re: [PATCH] prune_libtool_files(): go into .a removal only when .a exists.
Next by date:
Re: UEFI secure boot and Gentoo


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.