Gentoo Archives: gentoo-dev

From: Florian Philipp <lists@×××××××××××.net>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo
Date: Sun, 17 Jun 2012 17:29:58
In Reply to: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo by "Michał Górny"
Am 17.06.2012 19:06, schrieb Michał Górny:
> On Sun, 17 Jun 2012 09:55:35 -0700 > Greg KH <gregkh@g.o> wrote: > >> On Sun, Jun 17, 2012 at 05:51:04PM +0200, Michał Górny wrote:
> >>> 3. What happens if the machine signing the blobs is compromised? >> >> So, who's watching the watchers, right? Come on, this is getting >> looney. > > I'm just pointing out that this simply relies on trusting people. Much > like not having those signatures. >
If you are so much worried about it, UEFI allows you to remove all keys and just add your own. That way, only code signed by you will be executed. And in the standard case, well, it is just as good (or bad) as the SSL certificate business. It's not a perfect system but it is better than having everyone using self-signed certificates or none at all. Regards, Florian Philipp


File name MIME type
signature.asc application/pgp-signature