On Sun, Dec 9, 2012 at 7:24 PM, Diego Elio Pettenò <flamee...@flameeyes.eu> wrote: > On 09/12/2012 19:59, Greg KH wrote: >> The UEFI spec does not allow that mode of operation in secure boot mode, >> sorry. You will have to disable it in order to boot a Gentoo image, >> which is fine, but there's no reason why Gentoo can't use the MS-signed >> shim bootloader like all other distros are using, right?
I thought I had read something in Google+ posted by somebody who mentioned that their firmware was doing exactly that. It may very well be prohibited by the spec though, in which case we shouldn't count on it. > > I wouldn't say we have any problem with that. Fabio already got Sabayon > to support the shim. The only problem is that we'd have to provide a > shim binary that _is_ signed, rather than building it from source, but I > don't see it as a mayor problem myself. Agreed. We don't need to make our own shim either - we can just use one of the ones floating around. It should be open source, though obviously if anybody wants to build their own they'll need to get MS to sign it, or install the key in their firmware. I really would like Gentoo to support a self-signed secure boot framework (obviously this would be for after the system is installed). The shim might work, but I'd hardly call it "secure boot" if every motherboard manufacturer and OEM in the world has the ability to sign things, even if MS vouched for them all. Even if I installed Windows I'd want the ability to re-sign it with a key I controlled and tell the firmware to refuse to boot the MS key. But, we can learn to walk before we learn to run - anything that works with UEFI is a good first step. Oh, and for anybody who is really daring - you can have that kind of security even without UEFI. Just use Trusted Grub and enable TPM support in Linux, and then encrypt all but the boot partition with a key stored in the TPM that it only yields when the boot path is validated. Probably wouldn't hurt to stick a copy of the key on a flash drive or something just in case you update your kernel and forget to update the TPM. Rich
