On 5/31/12 3:23 PM, Peter Jones wrote:
On 05/31/2012 03:18 PM, Adam Jackson wrote:
Not that I want to discourage multiple signatures - quite the
opposite - but could we not install the bootloader after (and based
on) looking at the enrolled keys?
Well, that adds complexity and makes files bigger and more numerous, but it
could be done. We all know how dangerous files are.
So, having bothered to think about it a bit:
If the firmware can have multiple keys enrolled (and I think it can)
then you wouldn't need to do this: the ISO only has one loader, so you
know what it's signed with a priori, and wouldn't need to conditionalize.
But if it can only have one key enrolled _and_ you want to not trust
Microsoft's keys, you'd need to have switched keys before booting the
boot media anyway, or else booted outside of SB (and then trust that the
install media doesn't root your firmware before installing the loader).
So really the scenario for conditionalizing which (signed variant of the
one) loader we install is: platform has multiple keys enrolled, we
booted signed by Party A, but intend to strip that key out the next time
we boot and carry on signed by Party B from then on. Which doesn't win
you a whole lot besides (having fewer steps involved in) the juicy
satisfaction of banning Windows from running on the machine.
Between that and your invocation of Rule 0 I withdraw the suggestion, I
don't think it wins enough to be worthwhile.
- ajax
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
