On 10/12/2012 01:52, Rich Freeman wrote: > The shim might work, but I'd hardly call it "secure boot" if every > motherboard manufacturer and OEM in the world has the ability to sign > things, even if MS vouched for them all. Even if I installed Windows > I'd want the ability to re-sign it with a key I controlled and tell > the firmware to refuse to boot the MS key.
I don't think it's Gentoo's place to do that kind of stuff especially since I think you're in dreamland if you think that's achievable in _every_ case. It probably works in some cases, though. > Oh, and for anybody who is really daring - you can have that kind of > security even without UEFI. Just use Trusted Grub and enable TPM > support in Linux, and then encrypt all but the boot partition with a > key stored in the TPM that it only yields when the boot path is > validated. >From the comments I read from Matthew Garrett, this looks like it's going to be a world full of pain. Again I don't think we have to go there. Also the title of the threads is now completely misleading so let's stop here, k? -- Diego Elio Pettenò — Flameeyes flamee...@flameeyes.eu — http://blog.flameeyes.eu/
