Re: *countable infinities only
On 6/1/12 12:16 PM, Kevin Kofler wrote:
Adam Jackson wrote:False. Quoting from Matthew's original post: "A system in custom mode should allow you to delete all existing keys and replace them with your own. After that it's just a matter of re-signing the Fedora bootloader (like I said, we'll be providing tools and documentation for that) and you'll have a computer that will boot Fedora but which will refuse to boot any Microsoft code."Removing the M$ key is not viable because the firmware on some peripheral hardware will be signed only with the M$ key.
No, that's not actually a problem. The same process that lets you modify the list of enrolled keys also lets you whitelist hashes of particular EFI images. Like your video ROM.
I believe - since this is just software, after all - that we could also do the stronger thing of storing signatures of firmware images you want to trust (signed with your own key instead of Microsoft's, of course), instead of merely hashes.
The ability to re-root trust is actually an amazingly compelling feature. - ajax -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel