Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Greg KH <gregkh@g.o>
Subject: Re: Re: UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 09:55:35 -0700
On Sun, Jun 17, 2012 at 05:51:04PM +0200, Michał Górny wrote:
> On Sun, 17 Jun 2012 11:20:38 +0200
> Florian Philipp <lists@...> wrote:
> 
> > Am 16.06.2012 19:51, schrieb Michał Górny:
> > > On Fri, 15 Jun 2012 09:54:12 +0200
> > > Florian Philipp <lists@...> wrote:
> > > 
> > >> Am 15.06.2012 06:50, schrieb Duncan:
> > >>> Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted:
> > >>>
> > >>>> So, anyone been thinking about this?  I have, and it's not
> > >>>> pretty.
> > >>>>
> > >>>> Should I worry about this and how it affects Gentoo, or not worry
> > >>>> about Gentoo right now and just focus on the other issues?
> > >>>>
> > >>>> Minor details like, "do we have a 'company' that can pay
> > >>>> Microsoft to sign our bootloader?" is one aspect from the
> > >>>> non-technical side that I've been wondering about.
> > >>>
> > >>> I've been following developments and wondering a bit about this
> > >>> myself.
> > >>>
> > >>> I had concluded that at least for x86/amd64, where MS is mandating
> > >>> a user controlled disable-signed-checking option, gentoo shouldn't
> > >>> have a problem.  Other than updating the handbook to accommodate
> > >>> UEFI, presumably along with the grub2 stabilization, I believe
> > >>> we're fine as if a user can't figure out how to disable that
> > >>> option on their (x86/amd64) platform, they're hardly likely to be
> > >>> a good match for gentoo in any case.
> > >>>
> > >>
> > >> As a user, I'd still like to have the chance of using Secure Boot
> > >> with Gentoo since it _really_ increases security. Even if it means
> > >> I can no longer build my own kernel.
> > > 
> > > It doesn't. It's just a very long wooden fence; you just didn't find
> > > the hole yet.
> > > 
> > 
> > Oh come on! That's FUD and you know it. If not, did you even look at
> > the specs and working principle?
> 
> Could you answer the following question:
> 
> 1. How does it increase security?

Non-signed bootloaders and kernels will not run.

> 2. What happens if, say, your bootloader is compromised?

And how would this happen?  Your bootloader would not run.

> 3. What happens if the machine signing the blobs is compromised?

So, who's watching the watchers, right?  Come on, this is getting
looney.

greg k-h


References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Duncan
Re: Re: UEFI secure boot and Gentoo
-- Florian Philipp
Re: Re: UEFI secure boot and Gentoo
-- Michał Górny
Re: Re: UEFI secure boot and Gentoo
-- Florian Philipp
Re: Re: UEFI secure boot and Gentoo
-- Michał Górny
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Re: UEFI secure boot and Gentoo
Next by thread:
Re: Re: UEFI secure boot and Gentoo
Previous by date:
Re: [RFC] Dynamic SLOTs
Next by date:
Re: Re: UEFI secure boot and Gentoo


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.