Gentoo Archives: gentoo-dev

From: Arun Raghavan <ford_prefect@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 05:26:24
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by Greg KH
On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote:
> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: >> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: >> > So, anyone been thinking about this?  I have, and it's not pretty. >> > >> > Should I worry about this and how it affects Gentoo, or not worry about >> > Gentoo right now and just focus on the other issues? >> >> I think it at least makes sense to talk about it, and work out what we >> can and cannot do. >> >> I guess we're in an especially bad position since everybody builds >> their own bootloader. Is there /any/ viable solution that allows >> people to continue doing this short of distributing a first-stage >> bootloader blob? > > Distributing a first-stage bootloader blob, that is signed by Microsoft, > or someone, seems to be the only way to easily handle this. > > Although all BIOSes will have the option to turn secure boot off, I > think it is something that we might not want to require for Gentoo to > work properly on those machines. > > Also, some people might really want to sign their own bootloader and > kernel, and kernel modules (myself included), so just getting that basic > infrastructure in place is going to take some work, no matter who ends > up signing the first-stage bootloader blob.
I hadn't thought of that. I imagine the hardened team might be interested in making such infrastructure easily available as well.
> Oh, and on the first-stage bootloader front, I already know of 2 simple, > and open source, examples that will work for Linux, so getting something > like that signed might not be very tough.  It's the "where does the > chain-of-trust stop" question that gets tricky...
For validating the chain of trust, it might be useful to make it possible for anyone to generate the same bootloader and verify the hashes themselves. For the truly paranoid maybe a signed stage3 + portage snapshot to generate the bootloader image from scratch.
>> > Minor details like, "do we have a 'company' that can pay Microsoft to >> > sign our bootloader?" is one aspect from the non-technical side that I've >> > been wondering about. >> >> Sounds like something the Gentoo Foundation could do. > > Can they do that?  I haven't been paying attention to if we are really a > legal entity still or not, sorry.
I believe so, but quantumsummers is likely the best person to confirm. -- Arun Raghavan (Ford_Prefect | Gentoo) & (arunsr | GNOME)


Subject Author
Re: [gentoo-dev] UEFI secure boot and Gentoo Matthew Thode <prometheanfire@g.o>