From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-56444-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 7899D1381F4
	for <garchives@archives.gentoo.org>; Mon, 10 Dec 2012 00:53:07 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4031221C03C;
	Mon, 10 Dec 2012 00:52:54 +0000 (UTC)
Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 039BB21C00B
	for <gentoo-dev@lists.gentoo.org>; Mon, 10 Dec 2012 00:52:17 +0000 (UTC)
Received: by mail-bk0-f53.google.com with SMTP id j5so858957bkw.40
        for <gentoo-dev@lists.gentoo.org>; Sun, 09 Dec 2012 16:52:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=mCmKf7iQ6h9w/XKRI+/nQp1kFTtDWEBgiYhSCnp6oH8=;
        b=VIRT1g2X3T9KvsM3VP2d1PQ8+ZqhXXaXIVmaLdklPdjenTc7zghcjvDGeQ+AMqxYG0
         MD0m3KRr3KADId2OqbAF4toahvFkMD25C08qxppNyGFFYs3xr3wb5KwSTlaF8XIGyTGa
         QLd9xRFc07W8FTO70hb04TKi4gNCjMIpvD5RaZOVtlpNkgVx5OYhVw3aGBCahLc39vIO
         d8/jFAJVB9al7Y5t8NXW2EDzaT0SGwdWYm9BhoUN69g5pXYGodVp0vWSelTy+9AUNUC2
         FgnW8Pq3VkEvO11Vo2icPV+NWdVINalbuPO4WORD/6LmOsG9stylLFA5EVb5Tg439ghw
         UgPg==
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.15.203 with SMTP id l11mr3785801bka.74.1355100736386; Sun,
 09 Dec 2012 16:52:16 -0800 (PST)
Sender: freemanrich@gmail.com
Received: by 10.204.12.28 with HTTP; Sun, 9 Dec 2012 16:52:16 -0800 (PST)
In-Reply-To: <50C52BD5.3070202@flameeyes.eu>
References: <plxp0m8l54dmn5posylyr4qj.1355076406163@email.android.com>
	<CAGfcS_kPb13CYTomKP=dXu1MGYq=k316Ahk9jytJTYf=fngxQg@mail.gmail.com>
	<20121209182452.GA6301@kroah.com>
	<CAGfcS_kMi1VbnMOmd-GzcfQeN9xMSf+i5J1_QK=sgBcD1pRsgg@mail.gmail.com>
	<20121209185946.GB6595@kroah.com>
	<50C52BD5.3070202@flameeyes.eu>
Date: Sun, 9 Dec 2012 19:52:16 -0500
X-Google-Sender-Auth: 3E6aTCO0cd3uDfUziaRLdYwF8Y0
Message-ID: <CAGfcS_m9Wks8u-trPENZrJEdCM5L2R2xRD0y6-dFPN4XM8DDSQ@mail.gmail.com>
Subject: Re: [gentoo-dev] borked release media
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev <gentoo-dev@lists.gentoo.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: a0b8a85f-6943-45fc-a64b-6b911c732d46
X-Archives-Hash: 08fafc8c2fb2c71f1adcb544230bc2b6

On Sun, Dec 9, 2012 at 7:24 PM, Diego Elio Petten=F2
<flameeyes@flameeyes.eu> wrote:
> On 09/12/2012 19:59, Greg KH wrote:
>> The UEFI spec does not allow that mode of operation in secure boot mode,
>> sorry. You will have to disable it in order to boot a Gentoo image,
>> which is fine, but there's no reason why Gentoo can't use the MS-signed
>> shim bootloader like all other distros are using, right?

I thought I had read something in Google+ posted by somebody who
mentioned that their firmware was doing exactly that.  It may very
well be prohibited by the spec though, in which case we shouldn't
count on it.

>
> I wouldn't say we have any problem with that. Fabio already got Sabayon
> to support the shim. The only problem is that we'd have to provide a
> shim binary that _is_ signed, rather than building it from source, but I
> don't see it as a mayor problem myself.

Agreed.  We don't need to make our own shim either - we can just use
one of the ones floating around.  It should be open source, though
obviously if anybody wants to build their own they'll need to get MS
to sign it, or install the key in their firmware.

I really would like Gentoo to support a self-signed secure boot
framework (obviously this would be for after the system is installed).
 The shim might work, but I'd hardly call it "secure boot" if every
motherboard manufacturer and OEM in the world has the ability to sign
things, even if MS vouched for them all.  Even if I installed Windows
I'd want the ability to re-sign it with a key I controlled and tell
the firmware to refuse to boot the MS key.

But, we can learn to walk before we learn to run - anything that works
with UEFI is a good first step.

Oh, and for anybody who is really daring - you can have that kind of
security even without UEFI.  Just use Trusted Grub and enable TPM
support in Linux, and then encrypt all but the boot partition with a
key stored in the TPM that it only yields when the boot path is
validated.  Probably wouldn't hurt to stick a copy of the key on a
flash drive or something just in case you update your kernel and
forget to update the TPM.

Rich