[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Discuss support for the linux kernel's EFI Handover Protocol on x86
From: |
Alexander Graf |
Subject: |
Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM |
Date: |
Fri, 11 Jan 2019 20:49:28 +0100 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
On 11.01.19 20:32, Matthew Garrett wrote:
> On Thu, Jan 10, 2019 at 12:59 AM Alexander Graf <address@hidden> wrote:
>> So really dumb question here: What if we didn't use the MS key? What if
>> instead, we just provide a SUSE/openSUSE key and give customers the ability
>> to sign their own grub+Linux binaries?
>
> Then you end up blocking install of any Linux distribution that isn't
> big enough to have every ARM server vendor include their keys. This is
> the exact reason we chose not to explore this approach on x86 - we
> didn't want Red Hat to have privileges that, say, Gentoo didn't. The
> problem is somewhat mitigated if systems are guaranteed to be shipped
> with Secure Boot disabled, but you then still end up encouraging
> vendor lock-in - it becomes difficult to migrate systems from one
> distribution to another without manual re-keying.
But on the other hand (given we gave people the right tools), wouldn't
that also enable end users to secure things down to *their* stack?
I you are big-customer and you only want your own big-customer branded
Linux to run on your servers, not a stock SUSE or Red Hat or whatever
OS, then you would have the ability to easily add your key to the key store.
Isn't that a much more preferable approach? I personally would advise
OEMs to simply not enable secure boot by default and then have everyone
give instructions how to either
a) install the distro key and/or
b) provide easy means to resign binaries themselves and install those keys
At the end of the day, as a customer I care much more about integrity of
*my* stack, rather than whether the boot chain is MS approved, no?
Alex
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, (continued)
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Michael Chang, 2019/01/13
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Ard Biesheuvel, 2019/01/14
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Michael Chang, 2019/01/14
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Alexander Graf, 2019/01/14
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Michael Chang, 2019/01/22
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Peter Jones, 2019/01/14
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Michael Chang, 2019/01/22
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Peter Jones, 2019/01/14
- Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Alexander Graf, 2019/01/14
Re: Discuss support for the linux kernel's EFI Handover Protocol on x86 and ARM, Matthew Garrett, 2019/01/11