From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SfRrF-00037n-AT for garchives@archives.gentoo.org; Fri, 15 Jun 2012 08:26:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A821BE0738; Fri, 15 Jun 2012 08:25:53 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by pigeon.gentoo.org (Postfix) with ESMTP id 4E492E05F2 for ; Fri, 15 Jun 2012 08:25:02 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 11C96214F0 for ; Fri, 15 Jun 2012 04:25:02 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute6.internal (MEProxy); Fri, 15 Jun 2012 04:25:02 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=Q8+KBie+CFCNawKrT2UQRM4W rNw=; b=D0d9Qu2LQqRs8kKU3Qg+GcahDz0NQ5tnEyim1MfflS+YgZLVdLNgGIsj flKp48BCalo9k5gXDtIRvTBqFd/EOWgtdWeRWKbLKW0CoNglwHdbW8vLTA6Hs3ti gq8GO5iBxCAP/4UxL3wOsWw2M95bvn7nA1fPB8g1sdL8GcP1J3w= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=Q8+K Bie+CFCNawKrT2UQRM4WrNw=; b=i+2G8YOi2SARzEwbYtTnxTWiKX2X7siFvSa5 JZsk4V6SS8qn6y5xS4TYRexeUZw9GvUA0RKsv8gF69/6j7iwsUILl+3FDO93KFGN pZwcdO8qVFnmTh4A4uWXXNRGxDrtByy0lDBtA9ImJc4KjIyYYofyFPK4GGETyMAN IuR/IOo= X-Sasl-enc: LoyyTVoYRwZLefqW5/uDX+0qOcZrD1zNdVdPS1BLQHIx 1339748700 Received: from [192.168.5.18] (unknown [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPA id AAAC88E01F0 for ; Fri, 15 Jun 2012 04:25:00 -0400 (EDT) Message-ID: <4FDAF156.7090104@binarywings.net> Date: Fri, 15 Jun 2012 10:24:54 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120602 Thunderbird/10.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo References: <20120615042810.GA9480@kroah.com> <20120615045604.GA25651@kroah.com> <20120615092607.68e5ddf0@pomiocik.lan> <4FDAE8ED.6080802@binarywings.net> <4FDAED21.7010508@gmail.com> In-Reply-To: <4FDAED21.7010508@gmail.com> X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig522BA9473DB00FF19A2B0F39" X-Archives-Salt: 56225b15-65e9-4749-a6aa-6163a8843fce X-Archives-Hash: bde56c221b51b26e0f4d5d650cda8b83 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig522BA9473DB00FF19A2B0F39 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 15.06.2012 10:06, schrieb Richard Farina: > On 06/15/2012 03:49 AM, Florian Philipp wrote: >> Am 15.06.2012 09:26, schrieb Micha=C5=82 G=C3=B3rny: >>> On Thu, 14 Jun 2012 21:56:04 -0700 >>> Greg KH wrote: >>> >>>> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: >>>>> On 15 June 2012 09:58, Greg KH wrote: >>>>>> So, anyone been thinking about this? I have, and it's not pretty.= >>>>>> >>>>>> Should I worry about this and how it affects Gentoo, or not worry >>>>>> about Gentoo right now and just focus on the other issues? >>>>> >>>>> I think it at least makes sense to talk about it, and work out what= >>>>> we can and cannot do. >>>>> >>>>> I guess we're in an especially bad position since everybody builds >>>>> their own bootloader. Is there /any/ viable solution that allows >>>>> people to continue doing this short of distributing a first-stage >>>>> bootloader blob? >>>> >>>> Distributing a first-stage bootloader blob, that is signed by >>>> Microsoft, or someone, seems to be the only way to easily handle thi= s. >>> >>> Maybe we could get one such a blob for all distros/systems? >>> >=20 >> I guess nothing prevents you from re-distributing Fedora's blob. >=20 >>> Also, does this signature system have any restrictions on what is >>> signed and what is not? In other words, will they actually sign a blo= b >>> saying 'work-around signatures' on the top? >>> >=20 >> They might sign it. I think it is just an automated process verified >> with smartcards. The point is, they will also blacklist it as soon as >> malware starts using it (or as soon as they are aware of the possibili= ty). >=20 >> It should also be noted that having a bootloader blob is not enough. Y= ou >> have to do it like Fedora and sign the kernel and modules as well as >> removing kernel features that could result in security breaches >> (everything outlined in [1]). I don't see any reasonable way to do thi= s >> while allowing users to build their own kernel and third-party modules= =2E >=20 >> In the end, I think we'll need *-bin packages for everything running i= n >> kernel-space. >=20 > Being all about choice I have to agree that as long as we have both bin= > and normal kernels there is nothing wrong with that. However, dear god= , > with how many kernels we have won't this get really expensive really > fast? Even just signing gentoo-sources and hardened-sources would cost= > a fortune considering both change weekly if not daily. So that puts us > to signing just stable releases and damn users who want secure boot and= > a recent kernel or need a custom patch? This all seems like a huge ste= p > in the wrong direction to me, at the very least the amount of effort fo= r > this is near insurmountable in my eyes. >=20 > -Zero >=20 >=20 >> [1] http://mjg59.dreamwidth.org/12368.html >=20 >> Regards, >> Florian Philipp >=20 No, it won't be expensive. Please read the link in my message on how Fedora do it: 1. You pay 99$ *once* as a registration fee. After that, you can sign as much as you want. 2. In order to avoid the hassle of the actual authentication process for signing code, Fedora simply signs a stage-1 boot loader which then verifies all further stages against a custom Fedora key. This key also has to be secure but it means they can use their own, automated tool chain for signing kernel and grub builds. Regards, Florian Philipp --------------enig522BA9473DB00FF19A2B0F39 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/a8VoACgkQqs4uOUlOuU8T0wCfUuYbS40lN6fN8UlsdmqvOhwz o4cAn1f9lCmKW2zihnerNuD22qhdZjSg =SOhj -----END PGP SIGNATURE----- --------------enig522BA9473DB00FF19A2B0F39--