Re: [gentoo-dev] UEFI secure boot and Gentoo

[Florian Philipp <lists@binarywings.net>]

[-- Attachment #1: Type: text/plain, Size: 3452 bytes --]

Am 15.06.2012 10:06, schrieb Richard Farina:
> On 06/15/2012 03:49 AM, Florian Philipp wrote:
>> Am 15.06.2012 09:26, schrieb Michał Górny:
>>> On Thu, 14 Jun 2012 21:56:04 -0700
>>> Greg KH <gregkh@gentoo.org> wrote:
>>>
>>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>>>>> On 15 June 2012 09:58, Greg KH <gregkh@gentoo.org> wrote:
>>>>>> So, anyone been thinking about this?  I have, and it's not pretty.
>>>>>>
>>>>>> Should I worry about this and how it affects Gentoo, or not worry
>>>>>> about Gentoo right now and just focus on the other issues?
>>>>>
>>>>> I think it at least makes sense to talk about it, and work out what
>>>>> we can and cannot do.
>>>>>
>>>>> I guess we're in an especially bad position since everybody builds
>>>>> their own bootloader. Is there /any/ viable solution that allows
>>>>> people to continue doing this short of distributing a first-stage
>>>>> bootloader blob?
>>>>
>>>> Distributing a first-stage bootloader blob, that is signed by
>>>> Microsoft, or someone, seems to be the only way to easily handle this.
>>>
>>> Maybe we could get one such a blob for all distros/systems?
>>>
> 
>> I guess nothing prevents you from re-distributing Fedora's blob.
> 
>>> Also, does this signature system have any restrictions on what is
>>> signed and what is not? In other words, will they actually sign a blob
>>> saying 'work-around signatures' on the top?
>>>
> 
>> They might sign it. I think it is just an automated process verified
>> with smartcards. The point is, they will also blacklist it as soon as
>> malware starts using it (or as soon as they are aware of the possibility).
> 
>> It should also be noted that having a bootloader blob is not enough. You
>> have to do it like Fedora and sign the kernel and modules as well as
>> removing kernel features that could result in security breaches
>> (everything outlined in [1]). I don't see any reasonable way to do this
>> while allowing users to build their own kernel and third-party modules.
> 
>> In the end, I think we'll need *-bin packages for everything running in
>> kernel-space.
> 
> Being all about choice I have to agree that as long as we have both bin
> and normal kernels there is nothing wrong with that.  However, dear god,
> with how many kernels we have won't this get really expensive really
> fast?  Even just signing gentoo-sources and hardened-sources would cost
> a fortune considering both change weekly if not daily. So that puts us
> to signing just stable releases and damn users who want secure boot and
> a recent kernel or need a custom patch?  This all seems like a huge step
> in the wrong direction to me, at the very least the amount of effort for
> this is near insurmountable in my eyes.
> 
> -Zero
> 
> 
>> [1] http://mjg59.dreamwidth.org/12368.html
> 
>> Regards,
>> Florian Philipp
> 

No, it won't be expensive. Please read the link in my message on how
Fedora do it:

1. You pay 99$ *once* as a registration fee. After that, you can sign as
much as you want.

2. In order to avoid the hassle of the actual authentication process for
signing code, Fedora simply signs a stage-1 boot loader which then
verifies all further stages against a custom Fedora key. This key also
has to be secure but it means they can use their own, automated tool
chain for signing kernel and grub builds.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]