On Sun, Dec 9, 2012 at 7:57 PM, Diego Elio Pettenò <flamee...@flameeyes.eu> wrote: > On 10/12/2012 01:52, Rich Freeman wrote: >> The shim might work, but I'd hardly call it "secure boot" if every >> motherboard manufacturer and OEM in the world has the ability to sign >> things, even if MS vouched for them all. Even if I installed Windows >> I'd want the ability to re-sign it with a key I controlled and tell >> the firmware to refuse to boot the MS key. > > I don't think it's Gentoo's place to do that kind of stuff especially > since I think you're in dreamland if you think that's achievable in > _every_ case. It probably works in some cases, though.
Any Windows-logo-compliant firmware has to support changing the keys. I have no idea whether Windows itself supports this, but that really isn't our concern. In any case, nobody is forcing anybody to build in that support - I just think it is a good idea. I doubt it would be difficult to accomplish - it just requires signing the bootloader. But, if nobody wants to do it now I'll just deal with it when I buy something with UEFI firmware in a year or two. :) > >> Oh, and for anybody who is really daring - you can have that kind of >> security even without UEFI. Just use Trusted Grub and enable TPM >> support in Linux, and then encrypt all but the boot partition with a >> key stored in the TPM that it only yields when the boot path is >> validated. > > From the comments I read from Matthew Garrett, this looks like it's > going to be a world full of pain. Again I don't think we have to go there. Wasn't really suggesting that we go there - only that anybody who wants to do it is welcome to do so. There are even howtos floating around. I wasn't suggesting that Gentoo support TPM-based full-disk encryption - just UEFI. Rich
