> On Mar 21, 2025, at 10:55 AM, James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > On Fri, 2025-03-21 at 16:40 +0000, Eric Snowberg wrote: >>> On Mar 20, 2025, at 4:40 PM, James Bottomley >>> <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: >>> >>> On Thu, 2025-03-20 at 16:24 +0000, Eric Snowberg wrote: >>>> Having lockdown enforcement has always been >>>> a requirement to get a shim signed by Microsoft. >>> >>> This is factually incorrect. Microsoft transferred shim signing to >>> an independent process run by a group of open source maintainers a >>> while ago: >> >> Yes, the shim-review process is understood. I'm not sure how my >> sentence is factually incorrect though. > > You said people "get shim signed by Microsoft". They don't, they get > it signed by the key held by the shim-review maintainers. > >> Unless you are saying Microsoft no longer maintains the private >> key. > > Well technically the private key is owned by UEFI (and referred to as > the UEFI CA) but there are multiple HSM based copies floating around > under the control of various operating system groups. The Windows OS > group holds one and the shim-review group holds another ... there are > probably other copies I don't know about, though. > > The point about this is that UEFI co-ordinates various discussions > between the private key holders about how to preserve security in the > UEFI boot environment (mostly at the UEFI Security Sub Team level) it's > no longer something Microsoft uniquely decides. > >> Hopefully that is not the case, since the public key ships on just >> about every single PC built. > > I don't understand why Microsoft no-longer owning the private key is a > problem? Only the public key ships on PCs and that hasn't changed (at > least not yet, it might have to for NIST requirements since RSA2048 is > being deprecated). A couple concerns come to mind. First, the vetting process being done for individuals that have signing authority with the HSM outside of Microsoft. Another would be access control of the HSM. Especially if it is not within Microsoft's possession.
