Re: Boot failed on latest CentOS 7 update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 8/2/20 4:11 PM, John Pierce wrote:
isn't it more that they simply won't work with newer boots that were signed
by the new keys?  and the updated BIOS's won't boot older OS versions that
weren't signed by the new keys?


I don't know if the Secure Boot PKI has a publicly documented contingency plan for a compromised CA, but my understanding is that there are multiple slots for signatures:

http://dreamhack.it/linux/2015/12/03/secure-boot-signed-modules-and-signed-elf-binaries.html

So, I would guess that clients would receive a new trust DB that did not contain the old root CA, and new bootloaders signed by both the old root CA and the new CA.  The new bootloaders would work on both new and old systems, having signatures from both. Old bootloaders would not work on new clients.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux