Gentoo Archives: gentoo-dev

From: Greg KH <gregkh@g.o>
To: gentoo-dev@l.g.o
Cc: lists@×××××××××××.net
Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 16:56:50
Message-Id: 20120617165535.GA31617@kroah.com
In Reply to: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo by "Michał Górny"
1 On Sun, Jun 17, 2012 at 05:51:04PM +0200, Michał Górny wrote:
2 > On Sun, 17 Jun 2012 11:20:38 +0200
3 > Florian Philipp <lists@×××××××××××.net> wrote:
4 >
5 > > Am 16.06.2012 19:51, schrieb Michał Górny:
6 > > > On Fri, 15 Jun 2012 09:54:12 +0200
7 > > > Florian Philipp <lists@×××××××××××.net> wrote:
8 > > >
9 > > >> Am 15.06.2012 06:50, schrieb Duncan:
10 > > >>> Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted:
11 > > >>>
12 > > >>>> So, anyone been thinking about this? I have, and it's not
13 > > >>>> pretty.
14 > > >>>>
15 > > >>>> Should I worry about this and how it affects Gentoo, or not worry
16 > > >>>> about Gentoo right now and just focus on the other issues?
17 > > >>>>
18 > > >>>> Minor details like, "do we have a 'company' that can pay
19 > > >>>> Microsoft to sign our bootloader?" is one aspect from the
20 > > >>>> non-technical side that I've been wondering about.
21 > > >>>
22 > > >>> I've been following developments and wondering a bit about this
23 > > >>> myself.
24 > > >>>
25 > > >>> I had concluded that at least for x86/amd64, where MS is mandating
26 > > >>> a user controlled disable-signed-checking option, gentoo shouldn't
27 > > >>> have a problem. Other than updating the handbook to accommodate
28 > > >>> UEFI, presumably along with the grub2 stabilization, I believe
29 > > >>> we're fine as if a user can't figure out how to disable that
30 > > >>> option on their (x86/amd64) platform, they're hardly likely to be
31 > > >>> a good match for gentoo in any case.
32 > > >>>
33 > > >>
34 > > >> As a user, I'd still like to have the chance of using Secure Boot
35 > > >> with Gentoo since it _really_ increases security. Even if it means
36 > > >> I can no longer build my own kernel.
37 > > >
38 > > > It doesn't. It's just a very long wooden fence; you just didn't find
39 > > > the hole yet.
40 > > >
41 > >
42 > > Oh come on! That's FUD and you know it. If not, did you even look at
43 > > the specs and working principle?
44 >
45 > Could you answer the following question:
46 >
47 > 1. How does it increase security?
48
49 Non-signed bootloaders and kernels will not run.
50
51 > 2. What happens if, say, your bootloader is compromised?
52
53 And how would this happen? Your bootloader would not run.
54
55 > 3. What happens if the machine signing the blobs is compromised?
56
57 So, who's watching the watchers, right? Come on, this is getting
58 looney.
59
60 greg k-h

Replies

Subject Author
Re: [gentoo-dev] Re: UEFI secure boot and Gentoo "Michał Górny" <mgorny@g.o>