From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-52465-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SfP33-0005A2-Oy
	for garchives@archives.gentoo.org; Fri, 15 Jun 2012 05:26:24 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 70128E078D;
	Fri, 15 Jun 2012 05:25:57 +0000 (UTC)
Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com [209.85.214.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id B5D81E071D
	for <gentoo-dev@lists.gentoo.org>; Fri, 15 Jun 2012 05:24:32 +0000 (UTC)
Received: by obbuo19 with SMTP id uo19so3908461obb.40
        for <gentoo-dev@lists.gentoo.org>; Thu, 14 Jun 2012 22:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:content-type
         :content-transfer-encoding;
        bh=zp6H8m08qMff7DxPE3qx3ItHuIKpTIBfZjZ15zk2Sjs=;
        b=SoT+IP53winEMkPf/kgDw7rgG3GeX0u7TiBgnrbDTg9tQ7LCzKmyxKxbv9JWmXNC6P
         Nbafp4PxzwEprdXwYUgNgKhNb8mdb4mlSC6MHz83YP3dQTi9PPtMfhSdl/7BLK36mgKP
         GvHK1RMt77lmFbRmSoPI73d+683oRQa4MG4kvAiQklF/5CY+N7KIrChqVB2KKswWc5xy
         FG6imFQ09TeYdKw7VKgNe2WtXllh2M2tSpl6xb+SJOGkTIaQ7MtSz4tUAp74wUUTzQCk
         wNbF0zV353Ss08Qu21MK76RjkmnQq7e5ccMWnh3yLC20iUoi4cDZUs/ucsVmHihh7jqn
         lRsw==
Received: by 10.182.174.6 with SMTP id bo6mr4440243obc.65.1339737872090; Thu,
 14 Jun 2012 22:24:32 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Sender: arunissatan@gmail.com
Received: by 10.182.47.135 with HTTP; Thu, 14 Jun 2012 22:24:11 -0700 (PDT)
In-Reply-To: <20120615045604.GA25651@kroah.com>
References: <20120615042810.GA9480@kroah.com> <CAO38tUqNiPif=+o_08gZ2LLg+HgWU=as1OS9NPaHpDr3wM2udQ@mail.gmail.com>
 <20120615045604.GA25651@kroah.com>
From: Arun Raghavan <ford_prefect@gentoo.org>
Date: Fri, 15 Jun 2012 10:54:11 +0530
X-Google-Sender-Auth: _tuHFiy9iB78YzvOOCWpSagLE4M
Message-ID: <CAO38tUqNGWRHch=6_tV1gyoPCQ=LPz=D1JS=MmyoR9VQKBdrNA@mail.gmail.com>
Subject: Re: [gentoo-dev] UEFI secure boot and Gentoo
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 070c7d91-0588-4654-ad03-98ab36e256a5
X-Archives-Hash: 10495d64d5d24298078c77750b0b7971

On 15 June 2012 10:26, Greg KH <gregkh@gentoo.org> wrote:
> On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote:
>> On 15 June 2012 09:58, Greg KH <gregkh@gentoo.org> wrote:
>> > So, anyone been thinking about this? =A0I have, and it's not pretty.
>> >
>> > Should I worry about this and how it affects Gentoo, or not worry abou=
t
>> > Gentoo right now and just focus on the other issues?
>>
>> I think it at least makes sense to talk about it, and work out what we
>> can and cannot do.
>>
>> I guess we're in an especially bad position since everybody builds
>> their own bootloader. Is there /any/ viable solution that allows
>> people to continue doing this short of distributing a first-stage
>> bootloader blob?
>
> Distributing a first-stage bootloader blob, that is signed by Microsoft,
> or someone, seems to be the only way to easily handle this.
>
> Although all BIOSes will have the option to turn secure boot off, I
> think it is something that we might not want to require for Gentoo to
> work properly on those machines.
>
> Also, some people might really want to sign their own bootloader and
> kernel, and kernel modules (myself included), so just getting that basic
> infrastructure in place is going to take some work, no matter who ends
> up signing the first-stage bootloader blob.

I hadn't thought of that. I imagine the hardened team might be
interested in making such infrastructure easily available as well.

> Oh, and on the first-stage bootloader front, I already know of 2 simple,
> and open source, examples that will work for Linux, so getting something
> like that signed might not be very tough. =A0It's the "where does the
> chain-of-trust stop" question that gets tricky...

For validating the chain of trust, it might be useful to make it
possible for anyone to generate the same bootloader and verify the
hashes themselves. For the truly paranoid maybe a signed stage3 +
portage snapshot to generate the bootloader image from scratch.

>> > Minor details like, "do we have a 'company' that can pay Microsoft to
>> > sign our bootloader?" is one aspect from the non-technical side that I=
've
>> > been wondering about.
>>
>> Sounds like something the Gentoo Foundation could do.
>
> Can they do that? =A0I haven't been paying attention to if we are really =
a
> legal entity still or not, sorry.

I believe so, but quantumsummers is likely the best person to confirm.

--=20
Arun Raghavan
http://arunraghavan.net/
(Ford_Prefect | Gentoo) & (arunsr | GNOME)