On Fri, Jun 15, 2012 at 12:28 AM, Greg KH <gre...@gentoo.org> wrote: > Should I worry about this and how it affects Gentoo, or not worry about > Gentoo right now and just focus on the other issues? > > Minor details like, "do we have a 'company' that can pay Microsoft to > sign our bootloader?" is one aspect from the non-technical side that I've > been wondering about.
So, there are 22 posts already, so I'm going to try to cover a bunch of topics in one post. I've been thinking about this a fair bit. 1. Speaking as an individual trustee... The Gentoo Foundation legally speaks for Gentoo, can sign contracts, and can write checks. I don't really forsee any legal issues should we decide we want to pursue any kinds of relationships with MS or other entities associated with UEFI. Obviously any decision to actually pursue this would not be taken lightly. 2. From what I've heard the cost of getting a key that would be recognized by UEFI firmware is as low as a $99 one-time payment, and we pay many times that for stuff like trademark registration, corporate filing fees, not to mention hardware for infrastructure. Cost is likely a non-issue. 3. Freedom IS a big issue - my sense is that getting support from the powers that be for UEFI comes with a lot of strings. If we had a key the easiest solution would be to just write a signed GRUB stage1 that works exactly like the one we're all using, and it would load whatever you want, linux or windows or Stuxnet or otherwise. Once Malware writers start embedding our bootloader in their stuff I assume that the people issuing the keys will have the ability to revoke it (at least for new hardware). 4. Fedora is getting around #3 by making the whole thing a big trusted infrastructure - signature chains for all the kernel-space code. That meshes well with their whole /usr move initiative - you just have this big blog of stuff that you trust and never touch, and you can be sure you're running genuine RedHat goodness, just like all those iPhone users out there. :) 5. If somebody (perhaps under the umbrella of hardened) wanted to create a Gentoo project around a fully trusted Gentoo I'd be completely supportive of that. It would take work. In the spirit of Gentoo we should allow anybody to build their own signed with their own key, and perhaps we might have an official Gentoo-certified one that we would sign and the Foundation would obtain the necessary UEFI keys. However, that should be viewed as more of a service, and not a core offering - Gentoo will never depend on a piece of non-free software or metadata (and I'd probably lump a signing key into that category). The same tools (minus the private keys) used to generate any secure offering made by Gentoo should be available for users to use and sign their own systems. 6. At least on x86 users can either disable secure boot, or load their own signing keys. We should try to support both. While the full secure infrastructure of #5 will undoubtedly be a significant effort we could at least have the handbook have a section on how to sign your grub when building it and install it in a way that it can be used to boot (installing the keys themselves might be firmware-dependent, but to the extent that standards exist we can be helpful). 7. In general anybody who would be a happy Gentoo user should have no issues with signing their own bootloader, or disabling secure boot. 8. I think the bigger issue is with ARM, and I'm not personally clear on what the exact policy is there. That really strikes me as antitrust, but MS might argue that on ARM they have no monopoly (instead we have a bunch of different vendors who almost universally lock down their hardware). I can't really see how any solution that didn't give the end-user the ability to run arbitrary code on their machine could be called "Gentoo" so our ability to distribute signed bootloaders there is going to be limited. Maybe we create the ability to sign your own as with x86, and make the users pay the $99 for their own keys. As long as individual users don't distribute their "insecure" bootloaders they shouldn't be at risk of getting them revoked. Well, that's a lot, but those are my impressions. In short I see this as more of a speed-bump for x86, but a much more fundamental problem for ARM. Personally I never buy a general-purpose computing device like a PC or smartphone unless I know in advance that I can gain full control over it. Hopefully that option will remain open to me a lot longer. I'd be personally interested in pointers to info on what the "powers that be" do and don't allow with UEFI. I've seen lots of sky-is-falling blog entries and discussion but little in the way of specs, and more importantly, policies. Rich
