1 |
On 06/15/2012 12:24 AM, Arun Raghavan wrote: |
2 |
> On 15 June 2012 10:26, Greg KH <gregkh@g.o> wrote: |
3 |
>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
4 |
>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
5 |
>>>> So, anyone been thinking about this? I have, and it's not pretty. |
6 |
>>>> |
7 |
>>>> Should I worry about this and how it affects Gentoo, or not worry about |
8 |
>>>> Gentoo right now and just focus on the other issues? |
9 |
>>> |
10 |
>>> I think it at least makes sense to talk about it, and work out what we |
11 |
>>> can and cannot do. |
12 |
>>> |
13 |
>>> I guess we're in an especially bad position since everybody builds |
14 |
>>> their own bootloader. Is there /any/ viable solution that allows |
15 |
>>> people to continue doing this short of distributing a first-stage |
16 |
>>> bootloader blob? |
17 |
>> |
18 |
>> Distributing a first-stage bootloader blob, that is signed by Microsoft, |
19 |
>> or someone, seems to be the only way to easily handle this. |
20 |
>> |
21 |
>> Although all BIOSes will have the option to turn secure boot off, I |
22 |
>> think it is something that we might not want to require for Gentoo to |
23 |
>> work properly on those machines. |
24 |
>> |
25 |
>> Also, some people might really want to sign their own bootloader and |
26 |
>> kernel, and kernel modules (myself included), so just getting that basic |
27 |
>> infrastructure in place is going to take some work, no matter who ends |
28 |
>> up signing the first-stage bootloader blob. |
29 |
> |
30 |
> I hadn't thought of that. I imagine the hardened team might be |
31 |
> interested in making such infrastructure easily available as well. |
32 |
> |
33 |
>> Oh, and on the first-stage bootloader front, I already know of 2 simple, |
34 |
>> and open source, examples that will work for Linux, so getting something |
35 |
>> like that signed might not be very tough. It's the "where does the |
36 |
>> chain-of-trust stop" question that gets tricky... |
37 |
> |
38 |
> For validating the chain of trust, it might be useful to make it |
39 |
> possible for anyone to generate the same bootloader and verify the |
40 |
> hashes themselves. For the truly paranoid maybe a signed stage3 + |
41 |
> portage snapshot to generate the bootloader image from scratch. |
42 |
> |
43 |
>>>> Minor details like, "do we have a 'company' that can pay Microsoft to |
44 |
>>>> sign our bootloader?" is one aspect from the non-technical side that I've |
45 |
>>>> been wondering about. |
46 |
>>> |
47 |
>>> Sounds like something the Gentoo Foundation could do. |
48 |
>> |
49 |
>> Can they do that? I haven't been paying attention to if we are really a |
50 |
>> legal entity still or not, sorry. |
51 |
> |
52 |
> I believe so, but quantumsummers is likely the best person to confirm. |
53 |
> |
54 |
I've already taken a look at some of this, I think our best bet is to |
55 |
figure out how to use efi_stub and simply sign the kernel itself (since |
56 |
it can run directly from uefi now). |
57 |
|
58 |
-- |
59 |
-- Matthew Thode (prometheanfire) |