On Wed, Oct 10, 2012 at 12:16 AM, Jacob Appelbaum <[email protected]> wrote: > Exciting and congratulations.
Thanks, getting it to work was a real pain. PAX / grsecurity kernel patches had UEFI-related bugs, and the most suitable UEFI signing tool (sbsigntool) lacked support for 32-bit EFI binaries. All of this is now fixed / integrated upstream (sbsigntool is used in Ubuntu, by the way). > What is your plan for Secure Boot related signatures? It seems like a > real pain for a lot of distros and a real pain for users to setup, > especially those without an understanding of cryptography at a high level. Liberté ships its own Secure Boot certificate, which signs the GRUB bootloader, and the trusted chain continues from there. After experimenting with Secure Boot in OVMF builds, I think that enrolling such a certificate is not difficult — it is not more difficult than changing the order of boot devices in BIOS, for instance (back then before a menu could be invoked by pressing a key). Most controversy about Secure Boot support in Linux one finds online is about making the process completely transparent for users, which requires either using Microsoft-signed binaries (Fedora) / intermediate certificate, or embedding one's keys in firmware (Ubuntu). If you forgo the requirement of complete boot transparency, which I think is reasonable for a special-purpose live distribution, using an own certificate is an obvious choice. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
