From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Sayp6-00063b-6g for garchives@archives.gentoo.org; Sun, 03 Jun 2012 00:37:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3CD2CE07CA; Sun, 3 Jun 2012 00:37:11 +0000 (UTC) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id E6103E0796 for ; Sun, 3 Jun 2012 00:35:52 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id A604F20644 for ; Sat, 2 Jun 2012 20:35:52 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute3.internal (MEProxy); Sat, 02 Jun 2012 20:35:52 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=bIoOKZzzFCOWCCTO5clYGRpe /1w=; b=cpgYu1p9SNk01FWP1gQHIpoYcaiB76vNIWMqvPCY5IPNkn/5UuLQuOnd OWYjuHR0aSl/LKn7N9JGqbLt+ccLsjA70wXxVQ+j+i+LIbvPhKpIwZ7fV/XvwwON gaBn/XK7GLaY1bXABGQvkQgc4oOOMdBr09CQhyxPSh249OB0xmc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=bIoO KZzzFCOWCCTO5clYGRpe/1w=; b=HwzQ/Urvul8XqlDXixcqN/4zhIvfWJ55OrHH gUFVsq1P/auPefGTcflqQeypnWcMK5KfJ/MAlDSC3V+r25zDv5ZgsFjZbp6FBg+T 2IQFoqwywu8vzbQnxYH2Z6r1dBmiOKBlJ9ZZqM3gDLy5mkOkzClWzyIF57H66Yt2 bbMIUhE= X-Sasl-enc: j72N6f6X9vwccvo/HOwh1yGyqJSyEXpFOGtmJ+Y1Z9Y7 1338683752 Received: from [192.168.5.18] (unknown [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPA id 12EBE8E0127 for ; Sat, 2 Jun 2012 20:35:51 -0400 (EDT) Message-ID: <4FCAB160.9040706@binarywings.net> Date: Sun, 03 Jun 2012 02:35:44 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120505 Thunderbird/10.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Lockdown: free/open OS maker pays Microsoft ransom for the right to boot on users' computers References: <1338603963.12172.1.camel@moriah> <4FC9C425.9010301@binarywings.net> <4FCA1159.40909@binarywings.net> <4FCA6EDB.4070908@coolmail.se> <4FCA98D2.7020804@coolmail.se> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigAAF126BF0222B5C926C5AAA2" X-Archives-Salt: 5224e832-9952-4d94-8a43-952f37aebd68 X-Archives-Hash: 16511fbca60a02b066a712bfee8a9127 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigAAF126BF0222B5C926C5AAA2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 03.06.2012 01:36, schrieb Michael Mol: > On Sat, Jun 2, 2012 at 6:50 PM, pk wrote: >> On 2012-06-02 22:10, Michael Mol wrote: >=20 > [snip] >=20 [...] >=20 > The BIOS will only load a signed bootloader. The signed bootloader > will only load a signed kernel. The signed kernel will...do whatever > you tell it to do. >=20 According to Matthew's blog post, Fedora patched Grub2 and the kernel to avoid loading custom code into them: - Deactivate grub2 plugins - Sign all kernel modules and disallow unsigned ones - Prevent access to PCI through userland - Sanitize the kernel command line >> What does that mean to a source based "distro"? >=20 > It's going to make building and installing grub and the kernel > trickier; you'll have to get them signed. And that's going to be a > PITA for anyone who does developers. >=20 > What it *really* means is that someone who wants to run Linux as a > hobbyist or developer is going to disable "SecureBoot", and then fall > back to business as usual. >=20 Yeah, the only way for Gentoo to have secure boot is a) let each user register with Microsoft, b) provide a binary kernel and boot loader. >> Also, I would assume a legitimate key would be able to >> sign pretty much any binary so a key that Fedora uses could be used to= >> sign malware for Windows, which then would be blacklisted by >> Microsoft... >=20 > If Fedora allows their key to sign crap, then their key will get revoke= d. >=20 > What I hope (I don't know) is whether or not the signing system > involved allows chaining. i.e., with SSL, I can generate my own key, > get it signed by a CA, and then bundle the CA's public key and my > public key when I go on to sign _another_ key. >=20 > So, could I generate a key, have Fedora sign it, and then use my key > to sign my binaries? If my key is used to do malicious things, > Fedora's off the hook, and it's only my key which gets revoked. >=20 Consider the exact approach Fedora takes: They've only made a certified stage-1 boot loader. This boot loader then loads grub2 (signed with a custom Fedora key, nothing chained back to MS) which then loads a custom-signed kernel. This allows them to avoid authenticating against MS every time they update grub or the kernel. This means if you want to certify with Fedora, you don't need to chain up to MS as long as you use their stage-1 boot loader. However, if I was part of Fedora, I wouldn't risk my key by signing other people's stuff. Mainboard makers won't look twice when they see rootkits with Fedora boot loaders. >> and how is malware defined? Anything that would be >> detrimental to Microsoft? >=20 > Dunno. I imagine it comes down to whatever the chief key's owner > doesn't want running on the same hardware while SecureBoot is enabled. > Rootkits come to mind. >=20 To quote Matthew: > If I take a signed Linux bootloader and then use it to boot something > that looks like an unsigned Linux kernel, I've instead potentially > just booted a piece of malware. And if that malware can attack > Windows then the signed Linux bootloader is no longer just a signed > Linux bootloader, it's a signed Windows malware launcher and that's > the kind of thing that results in that bootloader being added to the > list of blacklisted binaries and suddenly your signed Linux > bootloader isn't even a signed Linux bootloader. Regards, Florian Philipp --------------enigAAF126BF0222B5C926C5AAA2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/KsWYACgkQqs4uOUlOuU9vNwCeNlm+X4xOM+yDhUg1CAm90aTR 8tUAnjE9g7IIGaoo6YFSXvE3tVE6dpVY =2Je6 -----END PGP SIGNATURE----- --------------enigAAF126BF0222B5C926C5AAA2--