Re: UEFI secure boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 06/05/2012 11:25 AM, Calvin Morrison wrote:

> 
> Just wondering - why does it have to be Microsoft's Key to used? Could
> there be an Arch Linux provided key that would allow a Secure Boot?
> 
> Thanks
> 
> calvin
> 

  To be a bit more precise - the key belongs to the owner as always.
It's the signing of the key by a Certificate Authority that is the
second step - it is expensive to create a CA (as discussed in mjg's
blog) - Microsoft offers a UEFI CA service to sign your key. Fedora
plans to have their Fedora key signed by the UEFI CA - so no further
change to the firmware is needed.

  They also are putting some tools together to help users to self sign
their own key - which is used it to sign the boot loader (etc) and also
to store the CA key in the firmware so the signed bootloader will be
approved by Secure Boot using your own private CA.

  In order for there to be an Arch provided key - it would need either
to be signed by the UEFI CA or self signed with the CA key stored in
firmware ... or something like that.

   I don't yet know how MS UEFI CA key updates get installed into the
firmware? I suppose it will be done much like a bios update.


 gene/


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux