Hi, > But they also say this: > > | The default state of Secure Boot has a wide circle of trust which can > | result in customers trusting boot components they may not need. Since > | the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for > | all Linux distributions, trusting the Microsoft 3rd Party UEFI CA > | signature in the UEFI database increase[]s the attack surface of > | systems. A customer who intended to only trust and boot a single Linux > | distribution will trust all distributions–much more than their desired > | configuration. > > And this is an accurate description of the situation. Yea. And on top of that there is no standard way to manage secure boot keys. Try to kick out the microsoft windows signing keys because you don't trust the windows boot loader and want use linux anyway. You can go into the efi setup and with luck you find options to manage keys. But some standard way for a OS to request that and the firmware asking the user on next boot to ack or nack that action is just not there. Same for adding linux distro keys. This is why we ended up with shim + mokutil in the first place ... > The second stage boot loader > can have a long-term distribution-specific key embedded in it and is > also supposed to be minimal, so that distribution upgrades do not > require re-enrollment of the per-distribution boot loader. I'd love to have the distro CA cert on iso images and ESP, preferably in some standard location. Then people have at least the chance to easily enroll the distro keys (assuming the firmware setup offers that). For virtual machines we could even do that automatically. RHEL can actually be be booted with only distro keys enrolled, even though it requires inconvenient manual configuration due to having two shim.efi binaries with one signature each instead of one binary with two signatures. Fedora secure boot signing is rather messy though. Booting without microsoft cert doesn't work: https://bugzilla.redhat.com/show_bug.cgi?id=2108083 And the fedora distro secure boot certificate is broken: https://bugzilla.redhat.com/show_bug.cgi?id=2107982 take care, Gerd _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
