On 05/31/2012 04:32 PM, Adam Jackson wrote:
On 5/31/12 3:23 PM, Peter Jones wrote:
On 05/31/2012 03:18 PM, Adam Jackson wrote:
Not that I want to discourage multiple signatures - quite the
opposite - but could we not install the bootloader after (and based
on) looking at the enrolled keys?
Well, that adds complexity and makes files bigger and more numerous, but it
could be done. We all know how dangerous files are.
So, having bothered to think about it a bit:
If the firmware can have multiple keys enrolled (and I think it can) then you
wouldn't need to do this: the ISO only has one loader, so you know what it's
signed with a priori, and wouldn't need to conditionalize.
You're correct that DB (the firmware variable that holds the list of okay keys
and hashes) is a list, not a single slot.
--
Peter
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
