On Fri, 14 Jul 2023 at 11:13, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > > On Fri, Jul 14, 2023 at 10:52:20AM +0200, Ard Biesheuvel wrote: > > > Maybe the OEMs have gotten better at this over the years, but it is > > definitely not possible for the distros to rely on being able to get > > their own cert into KEK and sign their builds directly. > > Getting certs into local machine databases should[1] be possible on all > Windows certified machines, but in the status-quo there's no > cross-vendor solution to doing this. Relying on the Shim-provided > mechanisms is much safer from a consistency perspective. > > [1] Every time someone has claimed it's impossible to me I've ended up > demonstrating otherwise, but that's not a guarantee Interesting. So by 'demonstrating', do you mean running some EFI app that calls SetVariable() on PK/KEK/db directly, rather than going via the UI?
