1 |
Am 15.06.2012 10:06, schrieb Richard Farina: |
2 |
> On 06/15/2012 03:49 AM, Florian Philipp wrote: |
3 |
>> Am 15.06.2012 09:26, schrieb Michał Górny: |
4 |
>>> On Thu, 14 Jun 2012 21:56:04 -0700 |
5 |
>>> Greg KH <gregkh@g.o> wrote: |
6 |
>>> |
7 |
>>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
8 |
>>>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
9 |
>>>>>> So, anyone been thinking about this? I have, and it's not pretty. |
10 |
>>>>>> |
11 |
>>>>>> Should I worry about this and how it affects Gentoo, or not worry |
12 |
>>>>>> about Gentoo right now and just focus on the other issues? |
13 |
>>>>> |
14 |
>>>>> I think it at least makes sense to talk about it, and work out what |
15 |
>>>>> we can and cannot do. |
16 |
>>>>> |
17 |
>>>>> I guess we're in an especially bad position since everybody builds |
18 |
>>>>> their own bootloader. Is there /any/ viable solution that allows |
19 |
>>>>> people to continue doing this short of distributing a first-stage |
20 |
>>>>> bootloader blob? |
21 |
>>>> |
22 |
>>>> Distributing a first-stage bootloader blob, that is signed by |
23 |
>>>> Microsoft, or someone, seems to be the only way to easily handle this. |
24 |
>>> |
25 |
>>> Maybe we could get one such a blob for all distros/systems? |
26 |
>>> |
27 |
> |
28 |
>> I guess nothing prevents you from re-distributing Fedora's blob. |
29 |
> |
30 |
>>> Also, does this signature system have any restrictions on what is |
31 |
>>> signed and what is not? In other words, will they actually sign a blob |
32 |
>>> saying 'work-around signatures' on the top? |
33 |
>>> |
34 |
> |
35 |
>> They might sign it. I think it is just an automated process verified |
36 |
>> with smartcards. The point is, they will also blacklist it as soon as |
37 |
>> malware starts using it (or as soon as they are aware of the possibility). |
38 |
> |
39 |
>> It should also be noted that having a bootloader blob is not enough. You |
40 |
>> have to do it like Fedora and sign the kernel and modules as well as |
41 |
>> removing kernel features that could result in security breaches |
42 |
>> (everything outlined in [1]). I don't see any reasonable way to do this |
43 |
>> while allowing users to build their own kernel and third-party modules. |
44 |
> |
45 |
>> In the end, I think we'll need *-bin packages for everything running in |
46 |
>> kernel-space. |
47 |
> |
48 |
> Being all about choice I have to agree that as long as we have both bin |
49 |
> and normal kernels there is nothing wrong with that. However, dear god, |
50 |
> with how many kernels we have won't this get really expensive really |
51 |
> fast? Even just signing gentoo-sources and hardened-sources would cost |
52 |
> a fortune considering both change weekly if not daily. So that puts us |
53 |
> to signing just stable releases and damn users who want secure boot and |
54 |
> a recent kernel or need a custom patch? This all seems like a huge step |
55 |
> in the wrong direction to me, at the very least the amount of effort for |
56 |
> this is near insurmountable in my eyes. |
57 |
> |
58 |
> -Zero |
59 |
> |
60 |
> |
61 |
>> [1] http://mjg59.dreamwidth.org/12368.html |
62 |
> |
63 |
>> Regards, |
64 |
>> Florian Philipp |
65 |
> |
66 |
|
67 |
No, it won't be expensive. Please read the link in my message on how |
68 |
Fedora do it: |
69 |
|
70 |
1. You pay 99$ *once* as a registration fee. After that, you can sign as |
71 |
much as you want. |
72 |
|
73 |
2. In order to avoid the hassle of the actual authentication process for |
74 |
signing code, Fedora simply signs a stage-1 boot loader which then |
75 |
verifies all further stages against a custom Fedora key. This key also |
76 |
has to be secure but it means they can use their own, automated tool |
77 |
chain for signing kernel and grub builds. |
78 |
|
79 |
Regards, |
80 |
Florian Philipp |