From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SgJIT-0004dI-2Y for garchives@archives.gentoo.org; Sun, 17 Jun 2012 17:29:58 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F0A09E0795; Sun, 17 Jun 2012 17:29:43 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by pigeon.gentoo.org (Postfix) with ESMTP id E3E7AE0462 for ; Sun, 17 Jun 2012 17:29:05 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A04882127E for ; Sun, 17 Jun 2012 13:29:05 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute3.internal (MEProxy); Sun, 17 Jun 2012 13:29:05 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=wWiLtfB2F8h0G5AArTkDoPVk zyU=; b=JtnO+Ljbdtl6DQytm31h2iawwcr0i5t5EEa6nu7Wt6fUtQ8TShQ9KBae 6uDUGDvI9/kyWpQMyEX+pJlco/lVODD9ueov1VKYl0TNjPxee4xxEDfJxm/IqkTI Mw6XMT8xUY+3ZZpBN4Qk1q2IX7qk3fDvgcTaQtS2cGDJm77Vfms= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=wWiL tfB2F8h0G5AArTkDoPVkzyU=; b=by7qUgZSGnkreIo7UDOrdj7hrSsTOEUIGj+H dq++hNGJvE6VUvAQDK/bM/USUu56nemsWOeJ4/ezpC4/hHuR7ah2XsK8j9a07KfM RbDXdbn+eFEZXvs8sVfkdiaQNesni3gjOJO5K43NfUgJa0KS7QCkc2FsoHt0OvPd DGsUDz8= X-Sasl-enc: Ti61eIhtCTBuh/fgI01XPjAJFZMefEPacFyZ3opJqp/z 1339954144 Received: from [192.168.5.18] (unknown [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPA id 9F2A08E0204 for ; Sun, 17 Jun 2012 13:29:04 -0400 (EDT) Message-ID: <4FDE13DA.2070207@binarywings.net> Date: Sun, 17 Jun 2012 19:28:58 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120602 Thunderbird/10.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo References: <20120615042810.GA9480@kroah.com> <4FDAEA24.3010303@binarywings.net> <20120616195104.192e5abd@pomiocik.lan> <4FDDA166.8010404@binarywings.net> <20120617175104.055e62e8@pomiocik.lan> <20120617165535.GA31617@kroah.com> <20120617190616.186bd49a@pomiocik.lan> In-Reply-To: <20120617190616.186bd49a@pomiocik.lan> X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA5F7100BE5366CC9F0E6AF0E" X-Archives-Salt: 390e269d-8031-4bd1-9164-a1d691525ffb X-Archives-Hash: d7a7cf9a90da8fda7c3eeeb71284819f This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA5F7100BE5366CC9F0E6AF0E Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 17.06.2012 19:06, schrieb Micha=C5=82 G=C3=B3rny: > On Sun, 17 Jun 2012 09:55:35 -0700 > Greg KH wrote: >=20 >> On Sun, Jun 17, 2012 at 05:51:04PM +0200, Micha=C5=82 G=C3=B3rny wrote= : [...] >=20 >>> 3. What happens if the machine signing the blobs is compromised? >> >> So, who's watching the watchers, right? Come on, this is getting >> looney. >=20 > I'm just pointing out that this simply relies on trusting people. Much > like not having those signatures. >=20 If you are so much worried about it, UEFI allows you to remove all keys and just add your own. That way, only code signed by you will be executed= =2E And in the standard case, well, it is just as good (or bad) as the SSL certificate business. It's not a perfect system but it is better than having everyone using self-signed certificates or none at all. Regards, Florian Philipp --------------enigA5F7100BE5366CC9F0E6AF0E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/eE90ACgkQqs4uOUlOuU+6dACfVGBmb5yhRIqTpjgg2u+13Kze 5SsAn3phY+yJpO0i/+yR1R7PYlHNMZ4F =cssj -----END PGP SIGNATURE----- --------------enigA5F7100BE5366CC9F0E6AF0E--