Gentoo Archives: gentoo-dev

From: Greg KH <gregkh@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 17:04:04
Message-Id: 20120617170300.GC31617@kroah.com
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by Maxim Kammerer
1 On Sat, Jun 16, 2012 at 12:22:24PM +0300, Maxim Kammerer wrote:
2 > On Fri, Jun 15, 2012 at 3:01 PM, Rich Freeman <rich0@g.o> wrote:
3 > > I think that anybody that really cares about security should be
4 > > running in custom mode anyway, and should just re-sign anything they
5 > > want to run.  Custom mode lets you clear every single key in the
6 > > system from the vendor on down, and gives you the ability to ensure
7 > > the system only boots stuff you want it to.
8 >
9 > I have several questions, that hopefully someone familiar with UEFI
10 > Secure Boot is able to answer. If I understand UEFI correctly, the
11 > user will need to not just re-sign bootloaders, but also the
12 > OS-neutral drivers (e.g., UEFI GOP), which are hardware-specific, and
13 > will be probably signed with Microsoft keys, since the hardware vendor
14 > would otherwise need to implement expensive key security measures — is
15 > that correct?
16
17 Huh? No, why would a user need to resign the UEFI drivers? Those
18 "live" in the BIOS and are only used to get the machine up and running
19 in UEFI space, before UEFI hands the control off to the bootloader it
20 has verified is signed with a correct key.
21
22 > If the user does not perform this procedure (due to its
23 > complexity and/or lack of tools automating the process), is it
24 > possible for an externally connected device to compromise the system
25 > by supplying a Microsoft-signed blob directly to the UEFI firmware,
26 > circumventing the (Linux) OS?
27
28 Again, what? Please explain.
29
30 > Is it possible to develop an automatic
31 > re-signing tool — i.e., does the API support all needed features
32 > (listing / extracting drivers, revoking keys, adding keys, etc.)?
33
34 What API? The signing tool is public, and no, it doesn't add keys,
35 that's up to the BIOS to do, not the userspace tool.
36
37 confused,
38
39 greg k-h

Replies

Subject Author
Re: [gentoo-dev] UEFI secure boot and Gentoo Maxim Kammerer <mk@×××.su>