Gentoo Archives: gentoo-dev

From: Maxim Kammerer <mk@×××.su>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Sat, 16 Jun 2012 09:23:44
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by Rich Freeman
On Fri, Jun 15, 2012 at 3:01 PM, Rich Freeman <rich0@g.o> wrote:
> I think that anybody that really cares about security should be > running in custom mode anyway, and should just re-sign anything they > want to run.  Custom mode lets you clear every single key in the > system from the vendor on down, and gives you the ability to ensure > the system only boots stuff you want it to.
I have several questions, that hopefully someone familiar with UEFI Secure Boot is able to answer. If I understand UEFI correctly, the user will need to not just re-sign bootloaders, but also the OS-neutral drivers (e.g., UEFI GOP), which are hardware-specific, and will be probably signed with Microsoft keys, since the hardware vendor would otherwise need to implement expensive key security measures — is that correct? If the user does not perform this procedure (due to its complexity and/or lack of tools automating the process), is it possible for an externally connected device to compromise the system by supplying a Microsoft-signed blob directly to the UEFI firmware, circumventing the (Linux) OS? Is it possible to develop an automatic re-signing tool — i.e., does the API support all needed features (listing / extracting drivers, revoking keys, adding keys, etc.)? -- Maxim Kammerer Liberté Linux:


Subject Author
Re: [gentoo-dev] UEFI secure boot and Gentoo Greg KH <gregkh@g.o>