On Friday, May 26, 2023 11:18:32 AM EDT Gary Buhrmaster wrote: > On Fri, May 26, 2023 at 2:20 PM Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > > I was poking around a F38 system to look over the Secure Boot > > certificates and found something that may warrant attention. > > I *suspect* this is all wrapped into the issue that > shims must now have/use NX support to be signed, > and that first requires the kernel patches that > support NX to be merged. > > The thread about the NX requirement and the > kernel patch is included (although a bit hard > to find) in the ticket > https://bugzilla.redhat.com/show_bug.cgi?id=2113005 > > I do not know where in the process the kernel patch > currently is (last I knew, it was still in review). I found at least one piece of the puzzle. The UEFI specification only goes up to RSA 2048 https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html I poked around on some other systems. Looks like Microsoft only issues CA certificates with a 1 year expiration. So, they have expired certificates everywhere. On RHEL 9 the grub bootloader certificate appears to be valid until 2038 which coincides with when clocks may have a problem. In any event, I better understand what's going on. -Steve _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
