[liberationtech] best practices - roundup

[Maxim Kammerer]

On Wed, Oct 10, 2012 at 12:16 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Exciting and congratulations.

Thanks, getting it to work was a real pain. PAX / grsecurity kernel
patches had UEFI-related bugs, and the most suitable UEFI signing tool
(sbsigntool) lacked support for 32-bit EFI binaries. All of this is
now fixed / integrated upstream (sbsigntool is used in Ubuntu, by the
way).

> What is your plan for Secure Boot related signatures? It seems like a
> real pain for a lot of distros and a real pain for users to setup,
> especially those without an understanding of cryptography at a high level.

LibertC) ships its own Secure Boot certificate, which signs the GRUB
bootloader, and the trusted chain continues from there. After
experimenting with Secure Boot in OVMF builds, I think that enrolling
such a certificate is not difficult b it is not more difficult than
changing the order of boot devices in BIOS, for instance (back then
before a menu could be invoked by pressing a key). Most controversy
about Secure Boot support in Linux one finds online is about making
the process completely transparent for users, which requires either
using Microsoft-signed binaries (Fedora) / intermediate certificate,
or embedding one's keys in firmware (Ubuntu). If you forgo the
requirement of complete boot transparency, which I think is reasonable
for a special-purpose live distribution, using an own certificate is
an obvious choice.

-- 
Maxim Kammerer
LibertC) Linux: http://dee.su/liberte
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE