From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52486-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SfUms-00047e-3j
	for garchives@archives.gentoo.org; Fri, 15 Jun 2012 11:33:58 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9DC91E07D4;
	Fri, 15 Jun 2012 11:33:44 +0000 (UTC)
Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182])
	by pigeon.gentoo.org (Postfix) with ESMTP id EFD98E07A7
	for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 11:32:55 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgwKAG6Zu09FpY2o/2dsb2JhbABEsnYDgRiBCIIVAQEEATocHgoLCzQSFCUQASaICQW6CYsIWoFEgjxiA40+h1yFX4g6gViDBQ
X-IronPort-AV: E=Sophos;i="4.75,637,1330923600"; 
   d="scan'208";a="191473895"
Received: from 69-165-141-168.dsl.teksavvy.com (HELO waltdnes.org) ([69.165.141.168])
  by ironport2-out.teksavvy.com with SMTP; 15 Jun 2012 07:32:54 -0400
Received: by waltdnes.org (sSMTP sendmail emulation); Fri, 15 Jun 2012 07:32:48 -0400
From: "Walter Dnes" <waltdnes@waltdnes.org>
Date: Fri, 15 Jun 2012 07:32:48 -0400
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
Message-ID: <20120615113248.GA22231@waltdnes.org>
References: <20120615042810.GA9480@kroah.com>
 <CAO38tUqNiPif=+o_08gZ2LLg+HgWU=as1OS9NPaHpDr3wM2udQ@mail.gmail.com>
 <CAB9SyzSV_rY4u43gO4hsNynz7KbF5kOT+7k8++BPNrg4b1zVMg@mail.gmail.com>
 <CAO38tUo2=e_kVF3mYnTSDgGCS5bBBQvojexHeSiSy-nNr2SwTQ@mail.gmail.com>
 <CAB9SyzTGMLxQjhWs+y6LBhkY5PG2ZV-HS3oEqvXVr1RuP1N_cw@mail.gmail.com>
 <4FDAEB22.4010109@gmail.com>
 <4FDAF42E.9010304@binarywings.net>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4FDAF42E.9010304@binarywings.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Archives-Salt: a4f703b2-075d-4d4b-93ce-b214e579db10
X-Archives-Hash: 3f16c28934f9abaaf9390177609065ad

On Fri, Jun 15, 2012 at 10:37:02AM +0200, Florian Philipp wrote

> Besides, it wouldn't work long. They can blacklist keys.

  Question... how would "blacklisting" work on linux machines?  Let's
say Joe Blow gets a signing key and then passes it around.  I can see
that if you want to build an executable (*.exe) to run under Windows,
you'll run into problems if the monthly MS Windows Update kills that
specific key.

  How could MS do anything to linux users who used the key to get their
machine running?  All I can think of is that the blacklisted keys would
be added to some encrypted table in the UEFI in future versions of the
UEFI/BIOS.  Oh yeah, remember to *NOT* do unnecessary firmware updates
to your UEFI/BIOS.

  As for a signed 1st-stage bootloader, is it just me, or is nobody else
concerned/paranoid about MS sticking their binary code on my machine?
We used to laugh at Sony rootkits, but that's what we could be looking
at here.

-- 
Walter Dnes <waltdnes@waltdnes.org>