On Mon, Dec 10, 2012 at 2:52 AM, Rich Freeman <ri...@gentoo.org> wrote: > I really would like Gentoo to support a self-signed secure boot > framework (obviously this would be for after the system is installed).
https://bugs.gentoo.org/show_bug.cgi?id=444830 You can see how such framework works by booting Liberté Linux 2012.3 on a machine with Secure Boot. Just extract the .zip file into USB key root (or burn the .iso to CD), and import EFI/Liberte-SecureBoot-CA.der certificate in UEFI Secure Boot interface: http://dee.su/liberte-install (see “Secure Boot” section). > The shim might work, but I'd hardly call it "secure boot" if every > motherboard manufacturer and OEM in the world has the ability to sign > things, even if MS vouched for them all. I think there are some popular misunderstanding about the purpose of shim. What shim essentially allows a user to do is to enroll custom certificates into Secure Boot databases in an interactive, user-friendly fashion (caveat emptor: I didn't try shim yet). It does some clever UEFI API interaction and management of certificates in protected variables, but the effect is identical to enrolling a certificate into DB or KEK (OVMF names) via UEFI interface. Being signed by MS is just a technical way to achieve that user friendliness. So personally, I don't think that rushing to support shim in Gentoo is that critical, since users can be expected to enroll certificates by themselves. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte