From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52479-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SfRYs-0001Bc-Gj
	for garchives@archives.gentoo.org; Fri, 15 Jun 2012 08:07:19 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6B8E3E0747;
	Fri, 15 Jun 2012 08:06:57 +0000 (UTC)
Received: from mail-qc0-f181.google.com (mail-qc0-f181.google.com [209.85.216.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id E7E18E0720
	for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 08:06:21 +0000 (UTC)
Received: by qcpx40 with SMTP id x40so1630341qcp.40
        for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 01:06:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:x-enigmail-version:x-enigmail-draft-status:x-mailer
         :content-type:content-transfer-encoding;
        bh=48J7TO0eEJEy4fjbDvksbOtYDYeGiwbIkFGxYHG9qH8=;
        b=WdSSXsHpmyaZyrt8Y5KFJKGCTPV7LUAfeRLnodLL0fXKtFmnyFOgbBNlw+Y8kW1YnZ
         yAdfXnr5dduwncr5XOaoy4NN5WZB20GrIgI8fYpow/XeAEmotEeRvo4Crhkhup2xRVVP
         DMFjBOqRi0s7iHWWJeBlxTIgTzc9grSs7oGnQ5C2mxUYYydk8F6P3gYXsWmoE3JP1uwj
         OTZIVA+yH7yqO4NHGFtleN0Qjhw1NA9NvSngDLcHoZDiUOeqgQOqRvljaBxWl7aRatnK
         NnrxP6PI6c0xjCin6w2LVWXI1A9MrnRRekD9qVu5DkaakKesjhCHptbpQJvc04EsrEWZ
         TOYw==
Received: by 10.224.72.210 with SMTP id n18mr9719605qaj.10.1339747581180;
        Fri, 15 Jun 2012 01:06:21 -0700 (PDT)
Received: from [192.168.1.9] (pool-72-95-140-157.pitbpa.fios.verizon.net. [72.95.140.157])
        by mx.google.com with ESMTPS id x14sm10945460qac.1.2012.06.15.01.06.20
        (version=SSLv3 cipher=OTHER);
        Fri, 15 Jun 2012 01:06:20 -0700 (PDT)
Message-ID: <4FDAED21.7010508@gmail.com>
Date: Fri, 15 Jun 2012 04:06:57 -0400
From: Richard Farina <sidhayn@gmail.com>
User-Agent: |Es&/-\|_/2.1.4
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
References: <20120615042810.GA9480@kroah.com> <CAO38tUqNiPif=+o_08gZ2LLg+HgWU=as1OS9NPaHpDr3wM2udQ@mail.gmail.com> <20120615045604.GA25651@kroah.com> <20120615092607.68e5ddf0@pomiocik.lan> <4FDAE8ED.6080802@binarywings.net>
In-Reply-To: <4FDAE8ED.6080802@binarywings.net>
X-Enigmail-Version: 1.3.5
X-Enigmail-Draft-Status: 513
X-Mailer: //.$/|Es&/-\|_
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 93dd0f0d-7fd5-4aaf-b6ad-3646d2b20a8b
X-Archives-Hash: f40f0f41a5cace9f4cbe59174220dee0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/15/2012 03:49 AM, Florian Philipp wrote:
> Am 15.06.2012 09:26, schrieb Micha=C5=82 G=C3=B3rny:
>> On Thu, 14 Jun 2012 21:56:04 -0700
>> Greg KH <gregkh@gentoo.org> wrote:
>>
>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>>>> On 15 June 2012 09:58, Greg KH <gregkh@gentoo.org> wrote:
>>>>> So, anyone been thinking about this?  I have, and it's not pretty.
>>>>>
>>>>> Should I worry about this and how it affects Gentoo, or not worry
>>>>> about Gentoo right now and just focus on the other issues?
>>>>
>>>> I think it at least makes sense to talk about it, and work out what
>>>> we can and cannot do.
>>>>
>>>> I guess we're in an especially bad position since everybody builds
>>>> their own bootloader. Is there /any/ viable solution that allows
>>>> people to continue doing this short of distributing a first-stage
>>>> bootloader blob?
>>>
>>> Distributing a first-stage bootloader blob, that is signed by
>>> Microsoft, or someone, seems to be the only way to easily handle this=
.
>>
>> Maybe we could get one such a blob for all distros/systems?
>>
>=20
> I guess nothing prevents you from re-distributing Fedora's blob.
>=20
>> Also, does this signature system have any restrictions on what is
>> signed and what is not? In other words, will they actually sign a blob
>> saying 'work-around signatures' on the top?
>>
>=20
> They might sign it. I think it is just an automated process verified
> with smartcards. The point is, they will also blacklist it as soon as
> malware starts using it (or as soon as they are aware of the possibilit=
y).
>=20
> It should also be noted that having a bootloader blob is not enough. Yo=
u
> have to do it like Fedora and sign the kernel and modules as well as
> removing kernel features that could result in security breaches
> (everything outlined in [1]). I don't see any reasonable way to do this
> while allowing users to build their own kernel and third-party modules.
>=20
> In the end, I think we'll need *-bin packages for everything running in
> kernel-space.

Being all about choice I have to agree that as long as we have both bin
and normal kernels there is nothing wrong with that.  However, dear god,
with how many kernels we have won't this get really expensive really
fast?  Even just signing gentoo-sources and hardened-sources would cost
a fortune considering both change weekly if not daily. So that puts us
to signing just stable releases and damn users who want secure boot and
a recent kernel or need a custom patch?  This all seems like a huge step
in the wrong direction to me, at the very least the amount of effort for
this is near insurmountable in my eyes.

- -Zero

>=20
> [1] http://mjg59.dreamwidth.org/12368.html
>=20
> Regards,
> Florian Philipp
>=20

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP2u0hAAoJEKXdFCfdEflKtPMP/3qpZ5klkvOnOfMm3anccpEm
Zlo8T28+VwEjqt8m0hq/fWNteu4PbvzagD/jFLXym/OEW3w0XDFC8HI/JzbRVicT
GAiv3s1zHV0yX/MzIeuSqDG+KnXJhuGige52Nxy2dyC8Ryq0kwOX90rHu2wXU8Z/
RQPuJgxf2Z34qBVNsZKHcH7caxcCUhHK+JmYwIE+hd4Y7vw1YjM49PAxLIQnhRvN
lEQJt8lhyHzOzI7eScbQEtWRlGBRL/mtIoEkJa3iQb84hO9yfgAmxW512kZ4u5ZJ
x8NVXaBPx6KmwdCugrryYNKMVSAUCvt08f2mPGOS2tyF3eFVcfUL3ZAzaN0Fdl+q
0nTgkq5LW0wwLB9woujuxrz949SL+g/JTH2clKZVQdwCX5w4Bt7KCeqKg6+eRhsB
+9JoBZ9RYbmLQF5S+gjOuo/71Zds1IKtZIOcWp1jOdktph7udcCEvwJeQbAkK5jP
rqT0jEhsTOy1RPIDBTXwLsV6/urKNCwit4nsoD+ZGHZ2GXL+OunheXJDFgfrGevD
5ownuPxa6WwLLtCd7S+6SgkcC65jamycs44IjKhoQXtsZUYOj6uBhlVIQymLFVsU
r/ZeiOAilxiSP9QwTtZAohsninXQwIGxPbhwTrGp765uzalQoWzoz/Bop3IXdMgU
jvY5FSvLQ9Da7RKrxC5W
=3DXcZB
-----END PGP SIGNATURE-----