On Fri, Jun 15, 2012 at 06:14:12AM -0400, Rich Freeman wrote:
> On Fri, Jun 15, 2012 at 12:28 AM, Greg KH <firstname.lastname@example.org> wrote:
> > Should I worry about this and how it affects Gentoo, or not worry about
> > Gentoo right now and just focus on the other issues?
> > Minor details like, "do we have a 'company' that can pay Microsoft to
> > sign our bootloader?" is one aspect from the non-technical side that I've
> > been wondering about.
> So, there are 22 posts already, so I'm going to try to cover a bunch
> of topics in one post. I've been thinking about this a fair bit.
> 1. Speaking as an individual trustee... The Gentoo Foundation
> legally speaks for Gentoo, can sign contracts, and can write checks.
> I don't really forsee any legal issues should we decide we want to
> pursue any kinds of relationships with MS or other entities associated
> with UEFI. Obviously any decision to actually pursue this would not
> be taken lightly.
Great to know that this could work, if needed.
> 2. From what I've heard the cost of getting a key that would be
> recognized by UEFI firmware is as low as a $99 one-time payment, and
> we pay many times that for stuff like trademark registration,
> corporate filing fees, not to mention hardware for infrastructure.
> Cost is likely a non-issue.
Yes, it's cheap.
> 3. Freedom IS a big issue - my sense is that getting support from the
> powers that be for UEFI comes with a lot of strings. If we had a key
> the easiest solution would be to just write a signed GRUB stage1 that
> works exactly like the one we're all using, and it would load whatever
> you want, linux or windows or Stuxnet or otherwise. Once Malware
> writers start embedding our bootloader in their stuff I assume that
> the people issuing the keys will have the ability to revoke it (at
> least for new hardware).
Yes, we need to provide some way to "secure" our key, which might prove
impossible and foolish for Gentoo to even attempt, as it really wouldn't
work out for us.
> 4. Fedora is getting around #3 by making the whole thing a big
> trusted infrastructure - signature chains for all the kernel-space
> code. That meshes well with their whole /usr move initiative - you
> just have this big blog of stuff that you trust and never touch, and
> you can be sure you're running genuine RedHat goodness, just like all
> those iPhone users out there. :)
The whole chain-of-trust is an interesting issue as the UEFI spec does
not require it at all, and some people on the UEFI committee have told
me that it is not required either. But, others have. Getting to the
root of this problem is something I'm trying to do, as it's a very
important one for anyone who is going to be trusting, and providing, a
key in the BIOS.
> 5. If somebody (perhaps under the umbrella of hardened) wanted to
> create a Gentoo project around a fully trusted Gentoo I'd be
> completely supportive of that. It would take work. In the spirit of
> Gentoo we should allow anybody to build their own signed with their
> own key, and perhaps we might have an official Gentoo-certified one
> that we would sign and the Foundation would obtain the necessary UEFI
> keys. However, that should be viewed as more of a service, and not a
> core offering - Gentoo will never depend on a piece of non-free
> software or metadata (and I'd probably lump a signing key into that
> category). The same tools (minus the private keys) used to generate
> any secure offering made by Gentoo should be available for users to
> use and sign their own systems.
That would mean we would be in the business of creating binary packages,
which is a big change from what we have been doing all of these years,
and not to be taken lightly.
> 6. At least on x86 users can either disable secure boot, or load
> their own signing keys. We should try to support both.
> While the full secure infrastructure of #5 will undoubtedly be a
> significant effort we could at least have the handbook have a section
> on how to sign your grub when building it and install it in a way that
> it can be used to boot (installing the keys themselves might be
> firmware-dependent, but to the extent that standards exist we can be
> 7. In general anybody who would be a happy Gentoo user should have no
> issues with signing their own bootloader, or disabling secure boot.
We have not seen how most BIOSes will allow this to happen, so I can't
agree with this statement just yet.
> 8. I think the bigger issue is with ARM, and I'm not personally clear
> on what the exact policy is there. That really strikes me as
> antitrust, but MS might argue that on ARM they have no monopoly
> (instead we have a bunch of different vendors who almost universally
> lock down their hardware). I can't really see how any solution that
> didn't give the end-user the ability to run arbitrary code on their
> machine could be called "Gentoo" so our ability to distribute signed
> bootloaders there is going to be limited. Maybe we create the ability
> to sign your own as with x86, and make the users pay the $99 for their
> own keys. As long as individual users don't distribute their
> "insecure" bootloaders they shouldn't be at risk of getting them
I'm not worried about ARM just yet, things are in play to make this
possibly a non-issue, but I can't say so for sure at this point in time.
Just be assured that people at ARM know about the problem and are
working to resolve it.
> Well, that's a lot, but those are my impressions. In short I see this
> as more of a speed-bump for x86, but a much more fundamental problem
> for ARM.
It's a big speed-bump for x86, it's going to be a bunch of work and
documentation to get right.
> I'd be personally interested in pointers to info on what the "powers
> that be" do and don't allow with UEFI. I've seen lots of
> sky-is-falling blog entries and discussion but little in the way of
> specs, and more importantly, policies.
You have pointers to the specs now, feel free to fall asleep while
reading them :)