On 05/31/2012 03:18 PM, Adam Jackson wrote:
On 5/31/12 2:17 PM, Peter Jones wrote:
On 05/31/2012 12:37 PM, Adam Jackson wrote:
Now if you're suggesting Fedora should ship another version of the
shimloader that's signed with a common Fedora key... sure, why not,
that could be nice.
Of course since we have to /install/ a bootloader, for this to be
effective it needs to be the same bootloader signed twice, which is
not currently supported by the binary format. (It can, of course, be
adapted to support it trivially without even changing the bits on the
disk if we can talk them in to it, and my tools currently includes a
partial implementation of this that's merely #define'd away.)
Not that I want to discourage multiple signatures - quite the opposite - but
could we not install the bootloader after (and based on) looking at the
enrolled keys?
Well, that adds complexity and makes files bigger and more numerous, but it
could be done. We all know how dangerous files are.
--
Peter
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
