From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Sh8ik-000651-8n for garchives@archives.gentoo.org; Wed, 20 Jun 2012 00:24:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ECB7BE06BE; Wed, 20 Jun 2012 00:24:18 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 868E1E05E4 for ; Wed, 20 Jun 2012 00:22:56 +0000 (UTC) Received: by bkcjk13 with SMTP id jk13so6385002bkc.40 for ; Tue, 19 Jun 2012 17:22:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=viBI7Tq7mcwnY2V7BUK8+9GNm4IGIvndaBprYzFyobw=; b=0GzcDzgBcfzZyLotBYUUNSymA7DUVxFx9q82qiZTYI+Klct0tDpW0t4phTUsO6iv/4 dAmVw3ET/Sr47vEOmJ9F0HR2nHc2feAyNjMcOIPzcbyB0lk49H7TG4YmmnCdpXKgBEIs iUOdafh5T3M6GwGw97+0cF75XQKIhFnk072t0RCURsmD2syH1W+nMI2bcq1p4vNUiNCV Il2Gum2LZ+7H//ZvNjfGI2KKSesaRcOUOgidaVRPXn1kEUL+VbWTvJlJPUEO6Qg/9GEb VicPuaXIP32llt+EwHyG1szZ1l1VRco7uRd8CUFnACpTNiYkX5hID2IzC8nMktYYbZuz FhpA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.205.117.3 with SMTP id fk3mr9328279bkc.136.1340151775566; Tue, 19 Jun 2012 17:22:55 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.38.2 with HTTP; Tue, 19 Jun 2012 17:22:55 -0700 (PDT) In-Reply-To: <4FE0F922.2090807@gentoo.org> References: <4FE0F922.2090807@gentoo.org> Date: Tue, 19 Jun 2012 20:22:55 -0400 X-Google-Sender-Auth: aA_8Hz7Yel2aDtqkyNZWvl7nmcU Message-ID: Subject: Re: [gentoo-dev] Killing UEFI Secure Boot From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: e9bd1423-13ea-4a48-ab2f-14f120d8a5a2 X-Archives-Hash: 86da781af8466e3d4cb05ef29f91f8e2 On Tue, Jun 19, 2012 at 6:11 PM, Richard Yao wrote: > I know that the Core Boot project also tries to accomplish this, but thei= r development process is slow and their approach seems to make the boot pro= cess more complicated than it needs to be. Since Secure Boot will force us = to flash our BIOS chips (or stick to old hardware), I think it would be wor= thwhile to develop our own solution by extending genkernel. This should hav= e the benefit of making our systems boot faster. So, replacing a BIOS is a fairly tall order - I'm not convinced that Core Boot is slow simply because they're doing it wrong. They're also looking to add value (like booting a diskless server off of a random website or whatever - not just simple disk/PXE like most BIOS). My understanding is that clusters are one of their big use cases. I also don't get the claim that we need to flash our BIOS chips to get around secure boot. If you don't want to use secure boot just disable it - it is no harder than changing your boot device order, system time, or any of a myriad of other firmware settings. It gets more complicated if you want to keep secure boot but boot your own OS, since you have to manage the keys/signing/etc. Nothing is keeping anybody from creating their own firmware. However, I doubt we'll see 25 devs take this on as a full-time job, which is probably what it would take to support the bazillions of boards out there. Keep in mind that many motherboard vendors require signed firmware so you'll need to find an exploit for every make/model out there to even load your firmware. That seems a bit much compared to just disabling secure boot... Rich