On Fri, Jun 15, 2012 at 10:15:28AM +0530, Arun Raghavan wrote: > On 15 June 2012 09:58, Greg KH <gre...@gentoo.org> wrote: > > So, anyone been thinking about this? I have, and it's not pretty. > > > > Should I worry about this and how it affects Gentoo, or not worry about > > Gentoo right now and just focus on the other issues? > > I think it at least makes sense to talk about it, and work out what we > can and cannot do. > > I guess we're in an especially bad position since everybody builds > their own bootloader. Is there /any/ viable solution that allows > people to continue doing this short of distributing a first-stage > bootloader blob?
Distributing a first-stage bootloader blob, that is signed by Microsoft, or someone, seems to be the only way to easily handle this. Although all BIOSes will have the option to turn secure boot off, I think it is something that we might not want to require for Gentoo to work properly on those machines. Also, some people might really want to sign their own bootloader and kernel, and kernel modules (myself included), so just getting that basic infrastructure in place is going to take some work, no matter who ends up signing the first-stage bootloader blob. Oh, and on the first-stage bootloader front, I already know of 2 simple, and open source, examples that will work for Linux, so getting something like that signed might not be very tough. It's the "where does the chain-of-trust stop" question that gets tricky... > > Minor details like, "do we have a 'company' that can pay Microsoft to > > sign our bootloader?" is one aspect from the non-technical side that I've > > been wondering about. > > Sounds like something the Gentoo Foundation could do. Can they do that? I haven't been paying attention to if we are really a legal entity still or not, sorry. greg k-h
