From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SfVkj-0004NW-Vs for garchives@archives.gentoo.org; Fri, 15 Jun 2012 12:35:50 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 18B7521C027; Fri, 15 Jun 2012 12:35:16 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 493C621C032 for ; Fri, 15 Jun 2012 12:33:45 +0000 (UTC) Received: by bkcjk13 with SMTP id jk13so2595421bkc.40 for ; Fri, 15 Jun 2012 05:33:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=ZBCnLJF7SBFrs51cEJOs9j+59pzw3lbpf9gTYLyW5sw=; b=osxOoCJvS1h9D+HpVu2pJ4e5czpnbmBEunTcw/gmU5biXCY6K6moAmbBBKTnhkUMuR ZdgL9sUM2pGsXONHXuWwTJayt8E3LV7jJ0sJdGk4ExMhhfL76n2Kk9MkCwUgzJH+Bz6v m/7UxlipDzQXOEFjSHTvXVYGEmPScddtCDMppK0cMVAlAXFzd0ROfdqt+lZUOJTRZ/69 Jf7MMQ0BBbrM9+M5uFxn3iurZxCybaVSy5jFl4jP1/AL9K8Qm6OOGOQclc3hXCf9j/Wa GANct8cXC8WZHiCSedAApcQ4v8cqzYPyh1+98I2BS9bpp8SWCYeOPbGcxWoZn2Yh+8FH BnDw== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.153.15 with SMTP id i15mr2845701bkw.74.1339763624172; Fri, 15 Jun 2012 05:33:44 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.149.211 with HTTP; Fri, 15 Jun 2012 05:33:44 -0700 (PDT) In-Reply-To: <4FDB2827.4030009@gentoo.org> References: <20120615042810.GA9480@kroah.com> <4FDAC0A2.4070801@gentoo.org> <4FDB2827.4030009@gentoo.org> Date: Fri, 15 Jun 2012 08:33:44 -0400 X-Google-Sender-Auth: MEiTCqntSf-xKebGc-Ko4-A1L_0 Message-ID: Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 7cf3acb6-4264-457c-9261-19dbc96a2860 X-Archives-Hash: 1fc0bc4b068029f6409ca0f68c2abc91 On Fri, Jun 15, 2012 at 8:18 AM, Luca Barbato wrote: > On 06/15/2012 06:57 AM, Ch=C3=AD-Thanh Christopher Nguy=E1=BB=85n wrote: >> If you have influence on UEFI secure boot spec, you could suggest that >> they mandate a UI which lists all boot images known to the EFI boot >> manager, and the user can easily whitelist both individual loaders and >> the keys used to sign them. >> > > That would be a good compromise. > Agreed, though MS is likely to be sensitive about how this is done. One of their requirements: System.Fundamentals.Firmware.UEFISecureBoot / 14: Mandatory. No in-line mechanism is provided whereby a user can bypass Secure Boot failures and boot anyway Signature verification override during boot when Secure Boot is enabled is not allowed. A physically present user override is not permitted for UEFI images that fail signature verification during boot. If a user wants to boot an image that does not pass signature verification, they must explicitly disable Secure Boot on the target system. Sounds like they want to make getting around signature issues a fairly technical exercise. This of course raises the barrier to loading another OS, though to be fair the "Stuxnet wants to access your boot sector - hit OK to allow or Cancel to not display the cute video your friend sent you" options that are typical these days hasn't really been very effective in keeping out malware. Rich