From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SfVYu-0002qV-Iy for garchives@archives.gentoo.org; Fri, 15 Jun 2012 12:23:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1815F21C022; Fri, 15 Jun 2012 12:23:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 8C394E0824 for ; Fri, 15 Jun 2012 12:22:04 +0000 (UTC) Received: from [192.168.1.101] (dynamic-adsl-84-220-164-115.clienti.tiscali.it [84.220.164.115]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: lu_zero) by smtp.gentoo.org (Postfix) with ESMTPSA id AE3321B4018 for ; Fri, 15 Jun 2012 12:22:03 +0000 (UTC) Message-ID: <4FDB28F5.8080303@gentoo.org> Date: Fri, 15 Jun 2012 14:22:13 +0200 From: Luca Barbato User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120529 Thunderbird/12.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo References: <20120615042810.GA9480@kroah.com> In-Reply-To: X-Enigmail-Version: 1.5pre Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 0e1f44e4-9ef3-4280-ac2a-882556be72c5 X-Archives-Hash: 2b45581bcedfb0b845ca9e0b438247f2 On 06/15/2012 12:14 PM, Rich Freeman wrote: > 5. If somebody (perhaps under the umbrella of hardened) wanted to > create a Gentoo project around a fully trusted Gentoo I'd be > completely supportive of that. It would take work. In the spirit of > Gentoo we should allow anybody to build their own signed with their > own key, and perhaps we might have an official Gentoo-certified one > that we would sign and the Foundation would obtain the necessary UEFI > keys. However, that should be viewed as more of a service, and not a > core offering - Gentoo will never depend on a piece of non-free > software or metadata (and I'd probably lump a signing key into that > category). The same tools (minus the private keys) used to generate > any secure offering made by Gentoo should be available for users to > use and sign their own systems. If we want to try to get serious on 5, we could try to gather the hardened/security people across distributions and setup the whole chain to be parallel and cut deals with OEM to store this trust-chain keys along with MS. lu -- Luca Barbato Gentoo/linux http://dev.gentoo.org/~lu_zero