On Wed, Jan 09, 2013 at 03:39:42PM +0100, Florian Weimer wrote: > On 01/09/2013 03:26 PM, Peter Jones wrote: > > >You've misunderstood the mechanism at work. dhowell's current kernel > >patch set allows you to add keys which are wrapped (in a well defined > >way) in a pecoff binary that's signed by already trusted keys. This is > >what I'm referring to above when I say "get your keys signed by ...". > > Oh dear, what a horrible kludge. But I admit that it might work, > assuming that Microsoft signs that nonsensical (from their > perspective) key-wrapping binary. It's not non-sensical. It's "Hello, World." We haven't actually tried to get such a thing signed yet, but it's well within their guidelines. > >>I don't think relying on Secure Boot is the best way to secure the > >>installation path. Theoretically, it is feasible, but it will > >>always be brittle. > > > >Citation needed. > > See my direct follow-up to Jaroslav's initial message. You mean the one you sent directly to me? It didn't demonstrate anything of the sort you're claiming. As to a direct response to Jaroslav on the list, I see no such post. -- Peter -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel