On 02/08/2020 19:54, John Pierce wrote:
On Sun, Aug 2, 2020 at 11:45 AM Phil Perry <pperry@xxxxxxxxxx> wrote:
On 02/08/2020 16:26, Valeri Galtsev wrote:
On the side note: it is Microsoft that signs one of Linux packages now.
We seem to have made one more step away from “our” computers being _our
computers_. Am I wrong?
Valeri
Microsoft are the Certificate Authority for SecureBoot and most
SB-enabled hardware (most x86 hardware) comes with a copy of the
Microsoft key preinstalled allowing binaries that are signed by
Microsoft to work. In the case of linux, that is the shim which becomes
the root of trust to load everything else. If you are not happy with
that you can always become your own certificate authority by generating
your own keys, install your signing keys in the hardware's firmware (MOK
list) and sign stuff yourself to use on your own machine(s).
However if you wish to distribute stuff to others and have it work
seamlessly on hardware outside of your direct control and without the
need for every user to import your CA SecureBoot signing key into the
MOK list on every device, you would rely on Microsoft to sign SB related
content.
now, does Microsoft have to sign each released module themselves, or will
they issue a CA cert to an authorized OS creator, like RH, then let RH
sign their own modules?
EG, Microsoft RootCA -> Signed Package
vs, Microsoft RootCA -> RH Child CA -> Signed Package ....
I believe Microsoft signs the shim which then becomes the trusted
authority and embeds RH (or CentOS) signing cert, so (I believe) every
release of the shim needs to be signed by Microsoft. So it's not quite
as efficient as MS signing a RH/CentOS CA key, but is not far off.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos