From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SgJ7W-0002vb-TO for garchives@archives.gentoo.org; Sun, 17 Jun 2012 17:18:39 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B5AFFE07AA; Sun, 17 Jun 2012 17:18:25 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id E0C60E0795 for ; Sun, 17 Jun 2012 17:17:41 +0000 (UTC) Received: by bkcjk13 with SMTP id jk13so3908269bkc.40 for ; Sun, 17 Jun 2012 10:17:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=2sp8zqtDnDnk9OxBG8GAttDakxoc0ORERyUswi8i6/o=; b=Pd67rQJGXriZxadVzYPjo1fK/ougMatwqzLy0FgkscYRMe0LB6RiMLPCxlznKI+NMc XriDGBpjCtMY9Vr+TWcS9QFvBJPMKy+F8nJ6sO3rlR5hYkJVQMfQ5TJxlEH8Qw+mn/NR mFPRf0ReDzbfpdSp9Au6NxEZeyVF2sYY1XcNumnlHDFlqiaX7ryzX4p/OVd7eRTEZYip uz/9t3O6dvFPPhkoLEL8rlVqH8QPgATt9sumJAdFn5ARqeEItMZNZly7D+VA8rDuKj1S 6h2daQDTAPVr2Dz1XF5FNf4mHcy6mHzbZh5JwQyt9qCX3JC9dibmxZRDhx+Fv7a+EO7d fMNg== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.205.126.8 with SMTP id gu8mr1859624bkc.61.1339953460969; Sun, 17 Jun 2012 10:17:40 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.149.211 with HTTP; Sun, 17 Jun 2012 10:17:40 -0700 (PDT) In-Reply-To: <20120617190616.186bd49a@pomiocik.lan> References: <20120615042810.GA9480@kroah.com> <4FDAEA24.3010303@binarywings.net> <20120616195104.192e5abd@pomiocik.lan> <4FDDA166.8010404@binarywings.net> <20120617175104.055e62e8@pomiocik.lan> <20120617165535.GA31617@kroah.com> <20120617190616.186bd49a@pomiocik.lan> Date: Sun, 17 Jun 2012 13:17:40 -0400 X-Google-Sender-Auth: B-iJz-7Qp6pniRxTyVslltqWd0g Message-ID: Subject: Re: [gentoo-dev] Re: UEFI secure boot and Gentoo From: Rich Freeman To: gentoo-dev@lists.gentoo.org Cc: gregkh@gentoo.org, lists@binarywings.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 71488ff3-6760-410b-8ff1-f4609617c1cd X-Archives-Hash: eba64518e3f8fadcdb89451fb7dbf935 On Sun, Jun 17, 2012 at 1:06 PM, Micha=C5=82 G=C3=B3rny = wrote: > On Sun, 17 Jun 2012 09:55:35 -0700 > Greg KH wrote: > >> On Sun, Jun 17, 2012 at 05:51:04PM +0200, Micha=C5=82 G=C3=B3rny wrote: >> > 2. What happens if, say, your bootloader is compromised? >> >> And how would this happen? =C2=A0Your bootloader would not run. > > Yes. I'm asking what happens next. Is there an easy way to replace it? > Or is your computer bricked until you run some other bootloader to > replace the compromised one? My understanding is that there are a few options here. One is to simply re-image the system, either directly (as any vendor does), or after booting off of removable media. I'd have to re-read the spec but some of those might not require signatures, and in any case ones with valid signatures should be available. You can of course disable secure boot or go into custom mode as well which lets you do whatever you want until you have the system back in a bootable state. If you're running Windows 8 I believe they plan to have a recovery partition as well, which will be signed and bootable and which is designed to recover the OS. Rich