1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 06/15/2012 03:49 AM, Florian Philipp wrote: |
5 |
> Am 15.06.2012 09:26, schrieb Michał Górny: |
6 |
>> On Thu, 14 Jun 2012 21:56:04 -0700 |
7 |
>> Greg KH <gregkh@g.o> wrote: |
8 |
>> |
9 |
>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: |
10 |
>>>> On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote: |
11 |
>>>>> So, anyone been thinking about this? I have, and it's not pretty. |
12 |
>>>>> |
13 |
>>>>> Should I worry about this and how it affects Gentoo, or not worry |
14 |
>>>>> about Gentoo right now and just focus on the other issues? |
15 |
>>>> |
16 |
>>>> I think it at least makes sense to talk about it, and work out what |
17 |
>>>> we can and cannot do. |
18 |
>>>> |
19 |
>>>> I guess we're in an especially bad position since everybody builds |
20 |
>>>> their own bootloader. Is there /any/ viable solution that allows |
21 |
>>>> people to continue doing this short of distributing a first-stage |
22 |
>>>> bootloader blob? |
23 |
>>> |
24 |
>>> Distributing a first-stage bootloader blob, that is signed by |
25 |
>>> Microsoft, or someone, seems to be the only way to easily handle this. |
26 |
>> |
27 |
>> Maybe we could get one such a blob for all distros/systems? |
28 |
>> |
29 |
> |
30 |
> I guess nothing prevents you from re-distributing Fedora's blob. |
31 |
> |
32 |
>> Also, does this signature system have any restrictions on what is |
33 |
>> signed and what is not? In other words, will they actually sign a blob |
34 |
>> saying 'work-around signatures' on the top? |
35 |
>> |
36 |
> |
37 |
> They might sign it. I think it is just an automated process verified |
38 |
> with smartcards. The point is, they will also blacklist it as soon as |
39 |
> malware starts using it (or as soon as they are aware of the possibility). |
40 |
> |
41 |
> It should also be noted that having a bootloader blob is not enough. You |
42 |
> have to do it like Fedora and sign the kernel and modules as well as |
43 |
> removing kernel features that could result in security breaches |
44 |
> (everything outlined in [1]). I don't see any reasonable way to do this |
45 |
> while allowing users to build their own kernel and third-party modules. |
46 |
> |
47 |
> In the end, I think we'll need *-bin packages for everything running in |
48 |
> kernel-space. |
49 |
|
50 |
Being all about choice I have to agree that as long as we have both bin |
51 |
and normal kernels there is nothing wrong with that. However, dear god, |
52 |
with how many kernels we have won't this get really expensive really |
53 |
fast? Even just signing gentoo-sources and hardened-sources would cost |
54 |
a fortune considering both change weekly if not daily. So that puts us |
55 |
to signing just stable releases and damn users who want secure boot and |
56 |
a recent kernel or need a custom patch? This all seems like a huge step |
57 |
in the wrong direction to me, at the very least the amount of effort for |
58 |
this is near insurmountable in my eyes. |
59 |
|
60 |
- -Zero |
61 |
|
62 |
> |
63 |
> [1] http://mjg59.dreamwidth.org/12368.html |
64 |
> |
65 |
> Regards, |
66 |
> Florian Philipp |
67 |
> |
68 |
|
69 |
-----BEGIN PGP SIGNATURE----- |
70 |
Version: GnuPG v2.0.17 (GNU/Linux) |
71 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
72 |
|
73 |
iQIcBAEBAgAGBQJP2u0hAAoJEKXdFCfdEflKtPMP/3qpZ5klkvOnOfMm3anccpEm |
74 |
Zlo8T28+VwEjqt8m0hq/fWNteu4PbvzagD/jFLXym/OEW3w0XDFC8HI/JzbRVicT |
75 |
GAiv3s1zHV0yX/MzIeuSqDG+KnXJhuGige52Nxy2dyC8Ryq0kwOX90rHu2wXU8Z/ |
76 |
RQPuJgxf2Z34qBVNsZKHcH7caxcCUhHK+JmYwIE+hd4Y7vw1YjM49PAxLIQnhRvN |
77 |
lEQJt8lhyHzOzI7eScbQEtWRlGBRL/mtIoEkJa3iQb84hO9yfgAmxW512kZ4u5ZJ |
78 |
x8NVXaBPx6KmwdCugrryYNKMVSAUCvt08f2mPGOS2tyF3eFVcfUL3ZAzaN0Fdl+q |
79 |
0nTgkq5LW0wwLB9woujuxrz949SL+g/JTH2clKZVQdwCX5w4Bt7KCeqKg6+eRhsB |
80 |
+9JoBZ9RYbmLQF5S+gjOuo/71Zds1IKtZIOcWp1jOdktph7udcCEvwJeQbAkK5jP |
81 |
rqT0jEhsTOy1RPIDBTXwLsV6/urKNCwit4nsoD+ZGHZ2GXL+OunheXJDFgfrGevD |
82 |
5ownuPxa6WwLLtCd7S+6SgkcC65jamycs44IjKhoQXtsZUYOj6uBhlVIQymLFVsU |
83 |
r/ZeiOAilxiSP9QwTtZAohsninXQwIGxPbhwTrGp765uzalQoWzoz/Bop3IXdMgU |
84 |
jvY5FSvLQ9Da7RKrxC5W |
85 |
=XcZB |
86 |
-----END PGP SIGNATURE----- |