Gentoo Archives: gentoo-dev

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 21:29:53
Message-Id: 4FDBA90B.5070502@gentoo.org
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by Arun Raghavan
1 On 06/15/2012 12:24 AM, Arun Raghavan wrote:
2 > On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote:
3 >> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
4 >>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote:
5 >>>> So, anyone been thinking about this? I have, and it's not pretty.
6 >>>>
7 >>>> Should I worry about this and how it affects Gentoo, or not worry about
8 >>>> Gentoo right now and just focus on the other issues?
9 >>>
10 >>> I think it at least makes sense to talk about it, and work out what we
11 >>> can and cannot do.
12 >>>
13 >>> I guess we're in an especially bad position since everybody builds
14 >>> their own bootloader. Is there /any/ viable solution that allows
15 >>> people to continue doing this short of distributing a first-stage
16 >>> bootloader blob?
17 >>
18 >> Distributing a first-stage bootloader blob, that is signed by Microsoft,
19 >> or someone, seems to be the only way to easily handle this.
20 >>
21 >> Although all BIOSes will have the option to turn secure boot off, I
22 >> think it is something that we might not want to require for Gentoo to
23 >> work properly on those machines.
24 >>
25 >> Also, some people might really want to sign their own bootloader and
26 >> kernel, and kernel modules (myself included), so just getting that basic
27 >> infrastructure in place is going to take some work, no matter who ends
28 >> up signing the first-stage bootloader blob.
29 >
30 > I hadn't thought of that. I imagine the hardened team might be
31 > interested in making such infrastructure easily available as well.
32 >
33 >> Oh, and on the first-stage bootloader front, I already know of 2 simple,
34 >> and open source, examples that will work for Linux, so getting something
35 >> like that signed might not be very tough. It's the "where does the
36 >> chain-of-trust stop" question that gets tricky...
37 >
38 > For validating the chain of trust, it might be useful to make it
39 > possible for anyone to generate the same bootloader and verify the
40 > hashes themselves. For the truly paranoid maybe a signed stage3 +
41 > portage snapshot to generate the bootloader image from scratch.
42 >
43 >>>> Minor details like, "do we have a 'company' that can pay Microsoft to
44 >>>> sign our bootloader?" is one aspect from the non-technical side that I've
45 >>>> been wondering about.
46 >>>
47 >>> Sounds like something the Gentoo Foundation could do.
48 >>
49 >> Can they do that? I haven't been paying attention to if we are really a
50 >> legal entity still or not, sorry.
51 >
52 > I believe so, but quantumsummers is likely the best person to confirm.
53 >
54 I've already taken a look at some of this, I think our best bet is to
55 figure out how to use efi_stub and simply sign the kernel itself (since
56 it can run directly from uefi now).
57
58 --
59 -- Matthew Thode (prometheanfire)

Attachments

File name MIME type
signature.asc application/pgp-signature