Gentoo Archives: gentoo-dev

From: gregkh@g.o
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Date: Sat, 16 Jun 2012 00:05:58
Message-Id: 20120616000340.GH9885@kroah.com
In Reply to: Re: [gentoo-dev] UEFI secure boot and Gentoo by "Michał Górny"
1 On Fri, Jun 15, 2012 at 09:26:07AM +0200, Michał Górny wrote:
2 > On Thu, 14 Jun 2012 21:56:04 -0700
3 > Greg KH <gregkh@g.o> wrote:
4 >
5 > > On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
6 > > > On 15 June 2012 09:58, Greg KH <gregkh@g.o> wrote:
7 > > > > So, anyone been thinking about this?  I have, and it's not pretty.
8 > > > >
9 > > > > Should I worry about this and how it affects Gentoo, or not worry
10 > > > > about Gentoo right now and just focus on the other issues?
11 > > >
12 > > > I think it at least makes sense to talk about it, and work out what
13 > > > we can and cannot do.
14 > > >
15 > > > I guess we're in an especially bad position since everybody builds
16 > > > their own bootloader. Is there /any/ viable solution that allows
17 > > > people to continue doing this short of distributing a first-stage
18 > > > bootloader blob?
19 > >
20 > > Distributing a first-stage bootloader blob, that is signed by
21 > > Microsoft, or someone, seems to be the only way to easily handle this.
22 >
23 > Maybe we could get one such a blob for all distros/systems?
24 >
25 > Also, does this signature system have any restrictions on what is
26 > signed and what is not? In other words, will they actually sign a blob
27 > saying 'work-around signatures' on the top?
28
29 It is uncertian at the moment what the requirements are, I'm trying to
30 nail this down. But, in order to protect all other companies, I imagine
31 they are going to be pretty restrictive, otherwise it really makes no
32 sense at all to have this in the first place.
33
34 greg k-h