Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Wed Feb 27 2013 - 09:56:56 EST

Next message: Roman Gushchin: "Re: [PATCH] memcg: implement low limits"
Previous message: Lai Jiangshan: "Re: [PATCH V2] smp: Give WARN()ing when calling smp_call_function_many()/single()in serving irq"
In reply to: James Courtier-Dutton: "Re: [GIT PULL] Load keys from signed PE binaries"
Next in thread: ownssh: "Re: [GIT PULL] Load keys from signed PE binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 27, 2013 at 09:35:24AM +0000, ownssh wrote:

> I think, redhat should have their own root key to sign binary files.
> Bootloader of install media can be sign by MS certificates, but only use to add
> the redhat root key to UEFI database before install.

There's no way to update the UEFI key database without the update being
signed by an already trusted key, so what you're proposing isn't
possible.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Roman Gushchin: "Re: [PATCH] memcg: implement low limits"
Previous message: Lai Jiangshan: "Re: [PATCH V2] smp: Give WARN()ing when calling smp_call_function_many()/single()in serving irq"
In reply to: James Courtier-Dutton: "Re: [GIT PULL] Load keys from signed PE binaries"
Next in thread: ownssh: "Re: [GIT PULL] Load keys from signed PE binaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]