Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Wed Feb 27 2013 - 09:56:56 EST

On Wed, Feb 27, 2013 at 09:35:24AM +0000, ownssh wrote:

> I think, redhat should have their own root key to sign binary files.
> Bootloader of install media can be sign by MS certificates, but only use to add
> the redhat root key to UEFI database before install.

There's no way to update the UEFI key database without the update being
signed by an already trusted key, so what you're proposing isn't

Matthew Garrett | mjg59@xxxxxxxxxxxxx
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at