1 |
On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote: |
2 |
> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
3 |
>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
4 |
>> > So, anyone been thinking about this? I have, and it's not pretty. |
5 |
>> > |
6 |
>> > Should I worry about this and how it affects Gentoo, or not worry about |
7 |
>> > Gentoo right now and just focus on the other issues? |
8 |
>> |
9 |
>> I think it at least makes sense to talk about it, and work out what we |
10 |
>> can and cannot do. |
11 |
>> |
12 |
>> I guess we're in an especially bad position since everybody builds |
13 |
>> their own bootloader. Is there /any/ viable solution that allows |
14 |
>> people to continue doing this short of distributing a first-stage |
15 |
>> bootloader blob? |
16 |
> |
17 |
> Distributing a first-stage bootloader blob, that is signed by Microsoft, |
18 |
> or someone, seems to be the only way to easily handle this. |
19 |
> |
20 |
> Although all BIOSes will have the option to turn secure boot off, I |
21 |
> think it is something that we might not want to require for Gentoo to |
22 |
> work properly on those machines. |
23 |
> |
24 |
> Also, some people might really want to sign their own bootloader and |
25 |
> kernel, and kernel modules (myself included), so just getting that basic |
26 |
> infrastructure in place is going to take some work, no matter who ends |
27 |
> up signing the first-stage bootloader blob. |
28 |
|
29 |
I hadn't thought of that. I imagine the hardened team might be |
30 |
interested in making such infrastructure easily available as well. |
31 |
|
32 |
> Oh, and on the first-stage bootloader front, I already know of 2 simple, |
33 |
> and open source, examples that will work for Linux, so getting something |
34 |
> like that signed might not be very tough. It's the "where does the |
35 |
> chain-of-trust stop" question that gets tricky... |
36 |
|
37 |
For validating the chain of trust, it might be useful to make it |
38 |
possible for anyone to generate the same bootloader and verify the |
39 |
hashes themselves. For the truly paranoid maybe a signed stage3 + |
40 |
portage snapshot to generate the bootloader image from scratch. |
41 |
|
42 |
>> > Minor details like, "do we have a 'company' that can pay Microsoft to |
43 |
>> > sign our bootloader?" is one aspect from the non-technical side that I've |
44 |
>> > been wondering about. |
45 |
>> |
46 |
>> Sounds like something the Gentoo Foundation could do. |
47 |
> |
48 |
> Can they do that? I haven't been paying attention to if we are really a |
49 |
> legal entity still or not, sorry. |
50 |
|
51 |
I believe so, but quantumsummers is likely the best person to confirm. |
52 |
|
53 |
-- |
54 |
Arun Raghavan |
55 |
http://arunraghavan.net/ |
56 |
(Ford_Prefect | Gentoo) & (arunsr | GNOME) |