From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SfpEN-0001U0-Ni for garchives@archives.gentoo.org; Sat, 16 Jun 2012 09:23:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4AF81E07A7; Sat, 16 Jun 2012 09:23:23 +0000 (UTC) Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com [209.85.214.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 002DCE077A for ; Sat, 16 Jun 2012 09:22:44 +0000 (UTC) Received: by obbuo19 with SMTP id uo19so5907833obb.40 for ; Sat, 16 Jun 2012 02:22:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dee.su; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=w09ZUdeozGBRr9lcQkT1oLRMeqKkeNbnACrGkuq6oDw=; b=KpbPMVqmJsh1Jqxp0tOLLkW5svNLy0+KD+9+y6K/Iq1K0Id75HWGGHHs95BIC0FaMQ o/JuEY9CxCZ9CplZgpHnKRtkUI2M+VnCUg/Lhol1mYLV5KanNq2fxxUNkqLMD/bjIAuI 01+jXoMbPdfG1pr5w7CTDbj9q0PVtYTpxkhxw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding:x-gm-message-state; bh=w09ZUdeozGBRr9lcQkT1oLRMeqKkeNbnACrGkuq6oDw=; b=KhsKeBJPsYRDaIdsA0JQ/8bTUshIRQg5PjHAy/pquuWIC2wnIIAPytBRFVGywIYPi/ NeKHK4jP9FFwX15s80ny/aFDaEdgx9SGl/4KKMZo9sfmRY6QOUroGom8eHEZTstKk3Wi gJA5qN81QkuwlRt+qOozmuwrkVnTZ8aykTYFr8NAqHNxDC+It5xKGWfu2puuy+aMwO9W bIxPpT7jRH2Cj6VNbVrnJPRsRVK+lJk553rPdBWP5wU+rv9RtYyyhT3k9N77T/pINZZO IuZigd/n9Sv9HSFc/J7DG04Sf6/dpN62VZBvs2WkXTcQSIl8IKyz1ZfV4nH/NN4kqB2X W5Sg== Received: by 10.60.14.193 with SMTP id r1mr8921636oec.16.1339838564310; Sat, 16 Jun 2012 02:22:44 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.76.167.194 with HTTP; Sat, 16 Jun 2012 02:22:24 -0700 (PDT) In-Reply-To: References: <20120615042810.GA9480@kroah.com> <4FDAEB22.4010109@gmail.com> <4FDAF42E.9010304@binarywings.net> <20120615113248.GA22231@waltdnes.org> From: Maxim Kammerer Date: Sat, 16 Jun 2012 12:22:24 +0300 Message-ID: Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQnPi++PI9Q3aZFivmIgqvsh+irGvExaaszpstQv539kJP/lYd3X8KK1mGHc3QEb2AvwtAfz X-Archives-Salt: 815594ed-5ac9-44cf-9129-ddac69f07d44 X-Archives-Hash: 4746769ae43780dab371bc0e6da0e0ec On Fri, Jun 15, 2012 at 3:01 PM, Rich Freeman wrote: > I think that anybody that really cares about security should be > running in custom mode anyway, and should just re-sign anything they > want to run. =A0Custom mode lets you clear every single key in the > system from the vendor on down, and gives you the ability to ensure > the system only boots stuff you want it to. I have several questions, that hopefully someone familiar with UEFI Secure Boot is able to answer. If I understand UEFI correctly, the user will need to not just re-sign bootloaders, but also the OS-neutral drivers (e.g., UEFI GOP), which are hardware-specific, and will be probably signed with Microsoft keys, since the hardware vendor would otherwise need to implement expensive key security measures =97 is that correct? If the user does not perform this procedure (due to its complexity and/or lack of tools automating the process), is it possible for an externally connected device to compromise the system by supplying a Microsoft-signed blob directly to the UEFI firmware, circumventing the (Linux) OS? Is it possible to develop an automatic re-signing tool =97 i.e., does the API support all needed features (listing / extracting drivers, revoking keys, adding keys, etc.)? --=20 Maxim Kammerer Libert=E9 Linux: http://dee.su/liberte