Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: gentoo-dev@l.g.o
Cc: Sabayon public development mailing list <devel@×××××××××××××.org>, core@××××××.org, gentoo-genkernel@l.g.o
Subject: Re: [gentoo-dev] Killing UEFI Secure Boot
Date: Wed, 20 Jun 2012 01:26:37
Message-Id: CAGfcS_=kXsmBFFQ37SD-i_EQrsht4Kwdf9Emz1JrK7vmvXKeDw@mail.gmail.com
In Reply to: Re: [gentoo-dev] Killing UEFI Secure Boot by Richard Yao
1 On Tue, Jun 19, 2012 at 9:10 PM, Richard Yao <ryao@g.o> wrote:
2 > On 06/19/2012 08:22 PM, Rich Freeman wrote:
3 > Core Boot is a Linux distribution. I do not think that we should boot
4 > Gentoo using their distribution any more than we boot Gentoo using RHEL.
5
6 Well, maybe it is a distro in the sense that genkernel or dracut are
7 distros (they bundle a bunch of tools in conjunction with a kernel to
8 do something). The whole point of Core Boot is to be a BIOS
9 replacement - either to do work on its own, or to boot something else.
10 Like UEFI it aims to do more than just load one sector off the hard
11 drive, check for a magic number, and jump into it.
12
13 > In theory, the kernel could be modified to only execute signed binaries
14 > and portage could be modified to produce signed binaries. The user could
15 > build a system that required everything to be signed with the private
16 > key of his choice. A hardened system that required signed binaries would
17 > be even more secure than a typical system using Secure Boot where only
18 > the bootloader, kernel and kernel modules are signed. The user would be
19 > in full control of his hardware. The user would not need to pay for this
20 > and the system would also boot faster.
21
22 You can do all of this with the UEFI firmware that will come with your
23 computer already. Why replace it?
24
25 > The 80386's RESET state is emulated uniformly across all x86 and amd64,
26 > so it should not take much effort to support the basic functions of
27 > setting up the CPU, loading the kernel (from the EEPROM) and jumping
28 > into it. Everything else is secondary.
29
30 Fair enough, and the fact is that most modern OSes depend little on
31 the BIOS for much of anything. I'm not sure that is absolutely
32 nothing, but obviously the Core Boot folks have it working in some
33 cases.
34
35 >
36 > Those are the only things that a BIOS replacement needs to do. As you
37 > pointed out, Core Boot is trying to add value. That means that they are
38 > doing far more than those basic functions. Other features are nice, but
39 > not if they get in the way of being able to boot. Other things can come
40 > the system boot process works.
41 >
42 > Did I miss any technical obstacles?
43
44 Honestly, I'd probably ask one of the Core Boot folks. Has anybody
45 already tried to make a core boot light? If their system already
46 works on any board out there, then we're re-inventing the wheel. If
47 theirs doesn't, then we need to ask why, since we're likely to run
48 into the same barriers.
49
50 In any case, this seems like a solution to a problem that we don't
51 have. Any win7-certified motherboard is doing to be able to boot
52 without secure boot just fine, so why do we need to replace it with a
53 minimal firmware that does the same thing? I can see why one might
54 want to improve on it, with Core Boot and such. However, I suspect
55 the last thing we want in the Gentoo handbook is for every newbie to
56 be flashing a Gentoo-made firmware onto their board and we get to deal
57 with the bricks.
58
59 Rich

Replies

Subject Author
Re: [gentoo-dev] Killing UEFI Secure Boot Richard Yao <ryao@g.o>