From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52475-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SfRIJ-0007a1-5k
	for garchives@archives.gentoo.org; Fri, 15 Jun 2012 07:50:11 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3B5EFE06C5;
	Fri, 15 Jun 2012 07:49:53 +0000 (UTC)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	by pigeon.gentoo.org (Postfix) with ESMTP id 27596E0160
	for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 07:49:10 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id D4F132108D
	for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 03:49:09 -0400 (EDT)
Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160])
  by compute1.internal (MEProxy); Fri, 15 Jun 2012 03:49:09 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net;
	 h=message-id:date:from:mime-version:to:subject:references
	:in-reply-to:content-type; s=mesmtp; bh=/mWJRZ/Cw2wjBvLpAbGiXESb
	Ngs=; b=OEOpKsvmILpRMl0rBGiCaJwexJqnxj7NCx+K0GPOjYoV2wh19iUYezH0
	fTb3ktrpPhTXNAd6zpAbd3VKkjCwJcl9Ws8NcFatWMt7Arb9vS58gp2QBgWWOkUe
	76gXN5Ovxu7ptxjzqqDu2WFax7dcvcEsGDEI+9IjeQT7F7grInE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=message-id:date:from:mime-version:to
	:subject:references:in-reply-to:content-type; s=smtpout; bh=/mWJ
	RZ/Cw2wjBvLpAbGiXESbNgs=; b=KEd0EtSB+GMpO7hNBqoe6cip2XBMR05w8zVQ
	du4SM9ZoyRDDu5Lb/dLw8cQbioegGE4zYZL1suR3bCRlW6Qz3Oo3ETROhK+jpYPF
	LmfGF8RsKl35v7tBj+HclaUi06qHYT+WoIUFEUvDjOS9aYORM4QpeM4Jnmpob4sv
	cI5F/4I=
X-Sasl-enc: iGrmtFs0T2J2Lerh36HyIhbTXPQkV4I+pQtirP3qmxfb 1339746548
Received: from [192.168.5.18] (unknown [83.169.5.6])
	by mail.messagingengine.com (Postfix) with ESMTPA id AA7338E0169
	for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 03:49:08 -0400 (EDT)
Message-ID: <4FDAE8ED.6080802@binarywings.net>
Date: Fri, 15 Jun 2012 09:49:01 +0200
From: Florian Philipp <lists@binarywings.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120602 Thunderbird/10.0.4
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
References: <20120615042810.GA9480@kroah.com> <CAO38tUqNiPif=+o_08gZ2LLg+HgWU=as1OS9NPaHpDr3wM2udQ@mail.gmail.com> <20120615045604.GA25651@kroah.com> <20120615092607.68e5ddf0@pomiocik.lan>
In-Reply-To: <20120615092607.68e5ddf0@pomiocik.lan>
X-Enigmail-Version: 1.3.5
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig199C9C293C58A75BA2EEA4A5"
X-Archives-Salt: c8cfb7d5-e98d-4189-954a-04c21ec50fa5
X-Archives-Hash: d666916cdfaee40e036592de52af0303

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig199C9C293C58A75BA2EEA4A5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am 15.06.2012 09:26, schrieb Micha=C5=82 G=C3=B3rny:
> On Thu, 14 Jun 2012 21:56:04 -0700
> Greg KH <gregkh@gentoo.org> wrote:
>=20
>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>>> On 15 June 2012 09:58, Greg KH <gregkh@gentoo.org> wrote:
>>>> So, anyone been thinking about this?  I have, and it's not pretty.
>>>>
>>>> Should I worry about this and how it affects Gentoo, or not worry
>>>> about Gentoo right now and just focus on the other issues?
>>>
>>> I think it at least makes sense to talk about it, and work out what
>>> we can and cannot do.
>>>
>>> I guess we're in an especially bad position since everybody builds
>>> their own bootloader. Is there /any/ viable solution that allows
>>> people to continue doing this short of distributing a first-stage
>>> bootloader blob?
>>
>> Distributing a first-stage bootloader blob, that is signed by
>> Microsoft, or someone, seems to be the only way to easily handle this.=

>=20
> Maybe we could get one such a blob for all distros/systems?
>=20

I guess nothing prevents you from re-distributing Fedora's blob.

> Also, does this signature system have any restrictions on what is
> signed and what is not? In other words, will they actually sign a blob
> saying 'work-around signatures' on the top?
>=20

They might sign it. I think it is just an automated process verified
with smartcards. The point is, they will also blacklist it as soon as
malware starts using it (or as soon as they are aware of the possibility)=
=2E

It should also be noted that having a bootloader blob is not enough. You
have to do it like Fedora and sign the kernel and modules as well as
removing kernel features that could result in security breaches
(everything outlined in [1]). I don't see any reasonable way to do this
while allowing users to build their own kernel and third-party modules.

In the end, I think we'll need *-bin packages for everything running in
kernel-space.

[1] http://mjg59.dreamwidth.org/12368.html

Regards,
Florian Philipp


--------------enig199C9C293C58A75BA2EEA4A5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/a6PIACgkQqs4uOUlOuU/MUQCfec8ztYtzM7a9IPPEE7AJaunU
A44AnjCdqjSpGCw+5GF4G2hNwlV0QYCG
=9PlQ
-----END PGP SIGNATURE-----

--------------enig199C9C293C58A75BA2EEA4A5--