From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SgL2c-0006mB-2L for garchives@archives.gentoo.org; Sun, 17 Jun 2012 19:21:42 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A57E7E06FE; Sun, 17 Jun 2012 19:21:12 +0000 (UTC) Received: from einstein.gmurray.org.uk (einstein.gmurray.org.uk [81.2.114.234]) by pigeon.gentoo.org (Postfix) with ESMTP id 0CFBAE06D6 for ; Sun, 17 Jun 2012 19:20:11 +0000 (UTC) Received: from einstein.gmurray.org.uk (localhost [127.0.0.1]) by einstein.gmurray.org.uk (8.14.5/8.14.5) with ESMTP id q5HJK9rh008018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sun, 17 Jun 2012 20:20:10 +0100 X-DKIM: OpenDKIM Filter v2.6.0 einstein.gmurray.org.uk q5HJK9rh008018 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmurray.org.uk; s=in200703; t=1339960810; bh=v2CU/ASJCUy2zc4DFSdV7DKFPAUJ9TeNDFg+1rkhWiQ=; h=From:To:Subject:References:Date:In-Reply-To; z=From:=20Graham=20Murray=20|To:=20gentoo-de v@lists.gentoo.org|Subject:=20Re:=20[gentoo-dev]=20Re:=20UEFI=20se cure=20boot=20and=20Gentoo|References:=20<20120615042810.GA9480@kr oah.com>=20<1694115.BlGnUZZYGL@mephista>=0D=0A=09<4FDE1B53.3010905 @binarywings.net>=20<5086026.lT0ZpIOn34@mephista>|Date:=20Sun,=201 7=20Jun=202012=2020:20:09=20+0100|In-Reply-To:=20<5086026.lT0ZpIOn 34@mephista>=20(Sascha=20Cunz's=20message=20of=20"Sun,=2017=0D=0A= 09Jun=202012=2020:56:41=20+0200"); b=OTFsjA0oiRwtR7RbmF/1a/UlproBcCpXymyZvSiLW8tLYxLCQ8YlaDUev8kkwQxBT HYL3eYM+OjGYelHctcQDdh050dNxHK2awAsUvGMPbQcgCei97hnOBeCrkDpeDzkMVo hhsz4tbCHcyW0WCyjyAWaFZwxrrD3HwM0nCufH80= From: Graham Murray To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo References: <20120615042810.GA9480@kroah.com> <1694115.BlGnUZZYGL@mephista> <4FDE1B53.3010905@binarywings.net> <5086026.lT0ZpIOn34@mephista> Date: Sun, 17 Jun 2012 20:20:09 +0100 In-Reply-To: <5086026.lT0ZpIOn34@mephista> (Sascha Cunz's message of "Sun, 17 Jun 2012 20:56:41 +0200") Message-ID: <87395tycd2.fsf@einstein.gmurray.org.uk> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.1 (x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain X-Virus-Scanned: clamav-milter 0.97.4 at einstein X-Virus-Status: Clean X-Archives-Salt: 837b7b46-6c30-41d0-9284-3366c4a5efee X-Archives-Hash: bf822d6ef909189444a30fe46fb06f24 Sascha Cunz writes: > You've said yourself, that "some removable media might not require signatures" > in order to boot. Well, if that is the case, then isn't this defeating the > whole point of Secure Boot at that stage? Not necessarily. As has been stated previously, secure boot is not intended to protect against an attacker who has physical access. So even if allowing boot from removable media, it does protect against malware which corrupts/infects the hard drive boot image.