From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SfRQh-0000Jh-Q7 for garchives@archives.gentoo.org; Fri, 15 Jun 2012 07:58:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54CF9E07B9; Fri, 15 Jun 2012 07:58:33 +0000 (UTC) Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by pigeon.gentoo.org (Postfix) with ESMTP id AA6F9E073F for ; Fri, 15 Jun 2012 07:57:51 +0000 (UTC) Received: by qaea16 with SMTP id a16so3000760qae.17 for ; Fri, 15 Jun 2012 00:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:x-mailer:content-type :content-transfer-encoding; bh=C67bx/FCvk93f0bJvjesa5aYcS03RLvKRdPgffAxZAE=; b=jibZZZH4+DkxE7nPkF+yZfyFMKbw23zjmv77uDqpzg1htn8OEZ3CvLkOlxkGI+SV1s nqXcu6dxgpcaGgjjNd0itNZH5LEHEkhutz7wopunWuM8ZdfrXh3wT8PqMZ0zouKg64Br L9xYALHe1rnnTk5+Ok8nJIRMfWTH4En9bjBHtfzJrRBMHoXD3BXBh0dDmoemyaYF/wmw dQi3O9KSaSk6ER7WXKYhWVxS1CaIQpN5JPQYtafxInPjDM4mFnoJEB6zjWvS9a+fR9Ss hY531LA9Qi9ko6sR4DVDM9I933oZ99IYoC5DHs97BmmNSUWQJLzaR8JJFFR0c5K4ZpMp 3xzQ== Received: by 10.224.216.7 with SMTP id hg7mr9630253qab.3.1339747070208; Fri, 15 Jun 2012 00:57:50 -0700 (PDT) Received: from [192.168.1.9] (pool-72-95-140-157.pitbpa.fios.verizon.net. [72.95.140.157]) by mx.google.com with ESMTPS id x14sm10912423qac.1.2012.06.15.00.57.49 (version=SSLv3 cipher=OTHER); Fri, 15 Jun 2012 00:57:49 -0700 (PDT) Message-ID: <4FDAEB22.4010109@gmail.com> Date: Fri, 15 Jun 2012 03:58:26 -0400 From: Richard Farina User-Agent: |Es&/-\|_/2.1.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo References: <20120615042810.GA9480@kroah.com> In-Reply-To: X-Enigmail-Version: 1.3.5 X-Mailer: //.$/|Es&/-\|_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 3f40d3dd-1955-4523-9341-0a4b96c5fa89 X-Archives-Hash: 68f944828daed377d3d7ae74ae7d5075 On 06/15/2012 03:12 AM, Ben de Groot wrote: > On 15 June 2012 13:24, Arun Raghavan wrote: >> On 15 June 2012 10:33, Ben de Groot wrote: >>> On 15 June 2012 12:45, Arun Raghavan wrote: >>>> On 15 June 2012 09:58, Greg KH wrote: >>>>> So, anyone been thinking about this? I have, and it's not pretty. >>>>> >>>>> Minor details like, "do we have a 'company' that can pay Microsoft to >>>>> sign our bootloader?" is one aspect from the non-technical side that I've >>>>> been wondering about. >>>> >>>> Sounds like something the Gentoo Foundation could do. >>> >>> I'm certainly not the only one who would be averse to paying Microsoft >>> any ransom money. >> >> And our refusal to pay for the signing affects precisely nobody except >> for our users, who will have to jump through an extra hoop to make >> their system work. >> >> On the flip side, having a simple way to use this infrastructure means >> that people who care about security can get a chain of trust from the >> firmware to the kernel (heck, maybe even userspace one day). This is >> something that is worth having as well. > > I agree that security is a worthwhile goal. I just don't trust Microsoft. > It's more of a "pay us or your system can't boot" that I'm opposed to. Saying "I just don't trust Microsoft" is second to "I just don't trust corporations that extort money from me just so I can boot". I don't care who we are paying, I'm offended by the idea. If users can't build their own fully functional boot loader that's an issue. I'm all for the signed "work-around signatures" idea as it is the least objectionable... if such a thing is even possible. -Zero