From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52643-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SgJIT-0004dI-2Y
	for garchives@archives.gentoo.org; Sun, 17 Jun 2012 17:29:58 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id F0A09E0795;
	Sun, 17 Jun 2012 17:29:43 +0000 (UTC)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	by pigeon.gentoo.org (Postfix) with ESMTP id E3E7AE0462
	for <gentoo-dev@lists.gentoo.org>; Sun, 17 Jun 2012 17:29:05 +0000 (UTC)
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A04882127E
	for <gentoo-dev@lists.gentoo.org>; Sun, 17 Jun 2012 13:29:05 -0400 (EDT)
Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160])
  by compute3.internal (MEProxy); Sun, 17 Jun 2012 13:29:05 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net;
	 h=message-id:date:from:mime-version:to:subject:references
	:in-reply-to:content-type; s=mesmtp; bh=wWiLtfB2F8h0G5AArTkDoPVk
	zyU=; b=JtnO+Ljbdtl6DQytm31h2iawwcr0i5t5EEa6nu7Wt6fUtQ8TShQ9KBae
	6uDUGDvI9/kyWpQMyEX+pJlco/lVODD9ueov1VKYl0TNjPxee4xxEDfJxm/IqkTI
	Mw6XMT8xUY+3ZZpBN4Qk1q2IX7qk3fDvgcTaQtS2cGDJm77Vfms=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=message-id:date:from:mime-version:to
	:subject:references:in-reply-to:content-type; s=smtpout; bh=wWiL
	tfB2F8h0G5AArTkDoPVkzyU=; b=by7qUgZSGnkreIo7UDOrdj7hrSsTOEUIGj+H
	dq++hNGJvE6VUvAQDK/bM/USUu56nemsWOeJ4/ezpC4/hHuR7ah2XsK8j9a07KfM
	RbDXdbn+eFEZXvs8sVfkdiaQNesni3gjOJO5K43NfUgJa0KS7QCkc2FsoHt0OvPd
	DGsUDz8=
X-Sasl-enc: Ti61eIhtCTBuh/fgI01XPjAJFZMefEPacFyZ3opJqp/z 1339954144
Received: from [192.168.5.18] (unknown [83.169.5.6])
	by mail.messagingengine.com (Postfix) with ESMTPA id 9F2A08E0204
	for <gentoo-dev@lists.gentoo.org>; Sun, 17 Jun 2012 13:29:04 -0400 (EDT)
Message-ID: <4FDE13DA.2070207@binarywings.net>
Date: Sun, 17 Jun 2012 19:28:58 +0200
From: Florian Philipp <lists@binarywings.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120602 Thunderbird/10.0.4
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo
References: <20120615042810.GA9480@kroah.com> <pan.2012.06.15.04.50.46@cox.net> <4FDAEA24.3010303@binarywings.net> <20120616195104.192e5abd@pomiocik.lan> <4FDDA166.8010404@binarywings.net> <20120617175104.055e62e8@pomiocik.lan> <20120617165535.GA31617@kroah.com> <20120617190616.186bd49a@pomiocik.lan>
In-Reply-To: <20120617190616.186bd49a@pomiocik.lan>
X-Enigmail-Version: 1.3.5
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigA5F7100BE5366CC9F0E6AF0E"
X-Archives-Salt: 390e269d-8031-4bd1-9164-a1d691525ffb
X-Archives-Hash: d7a7cf9a90da8fda7c3eeeb71284819f

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA5F7100BE5366CC9F0E6AF0E
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am 17.06.2012 19:06, schrieb Micha=C5=82 G=C3=B3rny:
> On Sun, 17 Jun 2012 09:55:35 -0700
> Greg KH <gregkh@gentoo.org> wrote:
>=20
>> On Sun, Jun 17, 2012 at 05:51:04PM +0200, Micha=C5=82 G=C3=B3rny wrote=
:
[...]
>=20
>>> 3. What happens if the machine signing the blobs is compromised?
>>
>> So, who's watching the watchers, right?  Come on, this is getting
>> looney.
>=20
> I'm just pointing out that this simply relies on trusting people. Much
> like not having those signatures.
>=20

If you are so much worried about it, UEFI allows you to remove all keys
and just add your own. That way, only code signed by you will be executed=
=2E

And in the standard case, well, it is just as good (or bad) as the SSL
certificate business. It's not a perfect system but it is better than
having everyone using self-signed certificates or none at all.

Regards,
Florian Philipp


--------------enigA5F7100BE5366CC9F0E6AF0E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/eE90ACgkQqs4uOUlOuU+6dACfVGBmb5yhRIqTpjgg2u+13Kze
5SsAn3phY+yJpO0i/+yR1R7PYlHNMZ4F
=cssj
-----END PGP SIGNATURE-----

--------------enigA5F7100BE5366CC9F0E6AF0E--