Re: [liberationtech] best practices - roundup

On Wed, Oct 10, 2012 at 12:16 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:

Exciting and congratulations.

Thanks, getting it to work was a real pain. PAX / grsecurity kernel patches had UEFI-related bugs, and the most suitable UEFI signing tool (sbsigntool) lacked support for 32-bit EFI binaries. All of this is now fixed / integrated upstream (sbsigntool is used in Ubuntu, by the way).

What is your plan for Secure Boot related signatures? It seems like a real pain for a lot of distros and a real pain for users to setup, especially those without an understanding of cryptography at a high level.

LibertC) ships its own Secure Boot certificate, which signs the GRUB bootloader, and the trusted chain continues from there. After experimenting with Secure Boot in OVMF builds, I think that enrolling such a certificate is not difficult b it is not more difficult than changing the order of boot devices in BIOS, for instance (back then before a menu could be invoked by pressing a key). Most controversy about Secure Boot support in Linux one finds online is about making the process completely transparent for users, which requires either using Microsoft-signed binaries (Fedora) / intermediate certificate, or embedding one's keys in firmware (Ubuntu). If you forgo the requirement of complete boot transparency, which I think is reasonable for a special-purpose live distribution, using an own certificate is an obvious choice. -- Maxim Kammerer LibertC) Linux: http://dee.su/liberte -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE