On 06/05/2012 11:25 AM, Calvin Morrison wrote: > > Just wondering - why does it have to be Microsoft's Key to used? Could > there be an Arch Linux provided key that would allow a Secure Boot? > > Thanks > > calvin > To be a bit more precise - the key belongs to the owner as always. It's the signing of the key by a Certificate Authority that is the second step - it is expensive to create a CA (as discussed in mjg's blog) - Microsoft offers a UEFI CA service to sign your key. Fedora plans to have their Fedora key signed by the UEFI CA - so no further change to the firmware is needed. They also are putting some tools together to help users to self sign their own key - which is used it to sign the boot loader (etc) and also to store the CA key in the firmware so the signed bootloader will be approved by Secure Boot using your own private CA. In order for there to be an Arch provided key - it would need either to be signed by the UEFI CA or self signed with the CA key stored in firmware ... or something like that. I don't yet know how MS UEFI CA key updates get installed into the firmware? I suppose it will be done much like a bios update. gene/
