[00:06] <blkperl> bkerensa: well ill go talk to Prof Massey about it
[00:07] <bkerensa> blkperl: hooray
[00:07] <bkerensa> LD
[00:25] <bkerensa> !backtrack
[17:27] <bkerensa> slangasek: do you know why the kernel does not need to be signed in the case of UEFI? someone asked in a comment
[17:32] <slangasek> bkerensa: in a comment on what?
[17:34] <bkerensa> slangasek: my blog
[17:34] <slangasek> oh, you reblogged this?
[17:35] <bkerensa> slangasek: http://benjaminkerensa.com/2012/06/20/uefi-secureboot-situation#comment-562946472
[17:35] <orebuntu> bkerensa's tiny URL is http://tinyurl.com/85v5fka
[17:35] <slangasek> oh, rather you blogged before the announcement went out ;)
[17:35] <bkerensa> slangasek: yes
[17:35] <bkerensa> and the always fun jef had a question
[17:36] <slangasek> so the answer is that the kernel doesn't have to be signed because that's not what the UEFI SecureBoot spec requires
[17:38] <bkerensa> yeah huh I figured as much
[17:40] <slangasek> Secure Boot says you have to verify signatures on all code up until you call ExitBootServices.  But the bootloader calls ExitBootServices after reading the kernel into memory and before jumping to it
[17:41] <slangasek> there are additional benefits if you *do* have a path for verifying the integrity of the kernel, but it doesn't make sense to do that by default in Ubuntu
[19:37] <bkerensa> slangasek: The counter response - "Canonical's proposal is the only proposal I've seen that suggest that signature verification up into the hardware driver layer is not required to meet the goals of the secureboot feature. Canonical's approach creates a signed bootloader which can be used to maliciously attack a dual boot Windows system. I fully expect that Microsoft will lean on OEMs to blacklist Canonical's signed boot loader signature
[19:37] <bkerensa> because of this particular failing...out of the gate. "
[19:38] <bkerensa> =/

[19:44] <slangasek> we're not going to base our Secure Boot strategy on what $random_person_on_Internet expects :)
[20:01] <bkerensa> slangasek: but Steve... Its Jef Spaleta :P