Gentoo Archives: gentoo-dev

From: Matthew Finkel <matthew.finkel@×××××.com>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 05:03:20
In Reply to: [gentoo-dev] Re: UEFI secure boot and Gentoo by Duncan <>
On Fri, Jun 15, 2012 at 12:50 AM, Duncan <1i5t5.duncan@×××.net> wrote:

> Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted: > > > So, anyone been thinking about this? I have, and it's not pretty. > > > > Should I worry about this and how it affects Gentoo, or not worry about > > Gentoo right now and just focus on the other issues? > > > > Minor details like, "do we have a 'company' that can pay Microsoft to > > sign our bootloader?" is one aspect from the non-technical side that > > I've been wondering about. > > I've been following developments and wondering a bit about this myself. > > I had concluded that at least for x86/amd64, where MS is mandating a user > controlled disable-signed-checking option, gentoo shouldn't have a > problem. Other than updating the handbook to accommodate UEFI, > presumably along with the grub2 stabilization, I believe we're fine as if > a user can't figure out how to disable that option on their (x86/amd64) > platform, they're hardly likely to be a good match for gentoo in any case. > > ARM and etc could be more problematic since MS is mandating no-unlock > there, last I read. I have no clue how they can get away with that anti- > trust-wise, but anyway... But I honestly don't know enough about other > than x86/amd64 platforms to worry about it, personally. >
For the short term, we don't have many options beside either adding to the documentation that the User needs to disable UEFI or wipe the current valid keys and adding their own (Devs may need to make sure there's a way to do this on the livecd). Of course there's the third option of everyone purchasing a key from Verisign but.... As for non-x86 systems, Gentoo is in between a rock and a hard place. I hope there will be a similar mechanism for the user to implement their own valid key chain and remove Microsofts, but who knows. The the devs and we need to decide on a uniform way of handling this situation. - Matt