Re: [GIT PULL] Load keys from signed PE binaries

From: Matthew Garrett
Date: Wed Feb 27 2013 - 09:56:56 EST


On Wed, Feb 27, 2013 at 09:35:24AM +0000, ownssh wrote:

> I think, redhat should have their own root key to sign binary files.
> Bootloader of install media can be sign by MS certificates, but only use to add
> the redhat root key to UEFI database before install.

There's no way to update the UEFI key database without the update being
signed by an already trusted key, so what you're proposing isn't
possible.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/