1 |
Greg KH schrieb: |
2 |
> So, anyone been thinking about this? I have, and it's not pretty. |
3 |
> |
4 |
> Should I worry about this and how it affects Gentoo, or not worry about |
5 |
> Gentoo right now and just focus on the other issues? |
6 |
> |
7 |
> Minor details like, "do we have a 'company' that can pay Microsoft to |
8 |
> sign our bootloader?" is one aspect from the non-technical side that I've |
9 |
> been wondering about. |
10 |
|
11 |
For the current crop of hardware, it is probably sufficient to add a |
12 |
paragraph to the handbook which tells the user to disable secure boot. |
13 |
|
14 |
Getting users' self-compiled boot loaders signed with a Gentoo key is |
15 |
probably infeasible. |
16 |
|
17 |
If you have influence on UEFI secure boot spec, you could suggest that |
18 |
they mandate a UI which lists all boot images known to the EFI boot |
19 |
manager, and the user can easily whitelist both individual loaders and |
20 |
the keys used to sign them. |
21 |
|
22 |
|
23 |
Best regards, |
24 |
Chí-Thanh Christopher Nguyễn |