On Sun, Dec 9, 2012 at 7:24 PM, Diego Elio Pettenò
<flamee...@flameeyes.eu> wrote:
> On 09/12/2012 19:59, Greg KH wrote:
>> The UEFI spec does not allow that mode of operation in secure boot mode,
>> sorry. You will have to disable it in order to boot a Gentoo image,
>> which is fine, but there's no reason why Gentoo can't use the MS-signed
>> shim bootloader like all other distros are using, right?

I thought I had read something in Google+ posted by somebody who
mentioned that their firmware was doing exactly that.  It may very
well be prohibited by the spec though, in which case we shouldn't
count on it.

>
> I wouldn't say we have any problem with that. Fabio already got Sabayon
> to support the shim. The only problem is that we'd have to provide a
> shim binary that _is_ signed, rather than building it from source, but I
> don't see it as a mayor problem myself.

Agreed.  We don't need to make our own shim either - we can just use
one of the ones floating around.  It should be open source, though
obviously if anybody wants to build their own they'll need to get MS
to sign it, or install the key in their firmware.

I really would like Gentoo to support a self-signed secure boot
framework (obviously this would be for after the system is installed).
 The shim might work, but I'd hardly call it "secure boot" if every
motherboard manufacturer and OEM in the world has the ability to sign
things, even if MS vouched for them all.  Even if I installed Windows
I'd want the ability to re-sign it with a key I controlled and tell
the firmware to refuse to boot the MS key.

But, we can learn to walk before we learn to run - anything that works
with UEFI is a good first step.

Oh, and for anybody who is really daring - you can have that kind of
security even without UEFI.  Just use Trusted Grub and enable TPM
support in Linux, and then encrypt all but the boot partition with a
key stored in the TPM that it only yields when the boot path is
validated.  Probably wouldn't hurt to stick a copy of the key on a
flash drive or something just in case you update your kernel and
forget to update the TPM.

Rich

Reply via email to