Gentoo Archives: gentoo-dev

From: Florian Philipp <lists@×××××××××××.net>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 08:26:17
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by Richard Farina
Am 15.06.2012 10:06, schrieb Richard Farina:
> On 06/15/2012 03:49 AM, Florian Philipp wrote: >> Am 15.06.2012 09:26, schrieb Michał Górny: >>> On Thu, 14 Jun 2012 21:56:04 -0700 >>> Greg KH <gregkh@g.o> wrote: >>> >>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: >>>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: >>>>>> So, anyone been thinking about this? I have, and it's not pretty. >>>>>> >>>>>> Should I worry about this and how it affects Gentoo, or not worry >>>>>> about Gentoo right now and just focus on the other issues? >>>>> >>>>> I think it at least makes sense to talk about it, and work out what >>>>> we can and cannot do. >>>>> >>>>> I guess we're in an especially bad position since everybody builds >>>>> their own bootloader. Is there /any/ viable solution that allows >>>>> people to continue doing this short of distributing a first-stage >>>>> bootloader blob? >>>> >>>> Distributing a first-stage bootloader blob, that is signed by >>>> Microsoft, or someone, seems to be the only way to easily handle this. >>> >>> Maybe we could get one such a blob for all distros/systems? >>> > >> I guess nothing prevents you from re-distributing Fedora's blob. > >>> Also, does this signature system have any restrictions on what is >>> signed and what is not? In other words, will they actually sign a blob >>> saying 'work-around signatures' on the top? >>> > >> They might sign it. I think it is just an automated process verified >> with smartcards. The point is, they will also blacklist it as soon as >> malware starts using it (or as soon as they are aware of the possibility). > >> It should also be noted that having a bootloader blob is not enough. You >> have to do it like Fedora and sign the kernel and modules as well as >> removing kernel features that could result in security breaches >> (everything outlined in [1]). I don't see any reasonable way to do this >> while allowing users to build their own kernel and third-party modules. > >> In the end, I think we'll need *-bin packages for everything running in >> kernel-space. > > Being all about choice I have to agree that as long as we have both bin > and normal kernels there is nothing wrong with that. However, dear god, > with how many kernels we have won't this get really expensive really > fast? Even just signing gentoo-sources and hardened-sources would cost > a fortune considering both change weekly if not daily. So that puts us > to signing just stable releases and damn users who want secure boot and > a recent kernel or need a custom patch? This all seems like a huge step > in the wrong direction to me, at the very least the amount of effort for > this is near insurmountable in my eyes. > > -Zero > > >> [1] > >> Regards, >> Florian Philipp >
No, it won't be expensive. Please read the link in my message on how Fedora do it: 1. You pay 99$ *once* as a registration fee. After that, you can sign as much as you want. 2. In order to avoid the hassle of the actual authentication process for signing code, Fedora simply signs a stage-1 boot loader which then verifies all further stages against a custom Fedora key. This key also has to be secure but it means they can use their own, automated tool chain for signing kernel and grub builds. Regards, Florian Philipp


File name MIME type
signature.asc application/pgp-signature