On Sat, 2 Jun 2012 20:49:29 +0100 Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote: > > 3. Create your own keys and sign your own shim/grub2/kernel and > > remove MS'es keys. > > And how are you going to add your own keys to the firmware ? There is > no requirement for EFI to support this in anything I've seen so far. > Hopefully everyone will. From the MS win 8 requirements: "Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following: It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx) which will put the system into setup mode." from EFI spec: "While no Platform Key is enrolled, the platform is said to be operating in setup mode. While in setup mode, the platform firmware shall not require authentication in order to modify the Platform Key or the Key Enrollment Key database." From my understanding that means you will be able to setup your own keys. At least on any hardware with win 8 requirements. > Also btw I wouldn't bet on removing the Microsoft key - as it stands > you may find that means all your add on cards stop working. All those > with firmware have to have the firmware signed too (otherwise you'd > just insert a 'f**k you' card with breakout firmware into the box), > and those have to be signed with a key that can be everywhere if the > are general purpose add in cards Well, the Fedora kernel firmware I assume would be signed/allowed. If you need firmware not in the main linux-firmware package, you would probibly have to go to non secure boot mode, or make your own keys and sign the firmware with that. ...snip... > Remove the MS key and the firmware won't be signed. I doubt you can > re-sign any flash firmware. That's probably only a problem for the > paranoid because any government approved spyware from the FBI etc is > presumably going to use the Microsoft key by default. See above. kevin
Attachment:
signature.asc
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
