Re: *countable infinities only
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On 6/1/12 12:16 PM, Kevin Kofler wrote:

Adam Jackson wrote:

False.  Quoting from Matthew's original post:

"A system in custom mode should allow you to delete all existing keys
and replace them with your own. After that it's just a matter of
re-signing the Fedora bootloader (like I said, we'll be providing tools
and documentation for that) and you'll have a computer that will boot
Fedora but which will refuse to boot any Microsoft code."


Removing the M$ key is not viable because the firmware on some peripheral
hardware will be signed only with the M$ key.
No, that's not actually a problem. The same process that lets you modify the list of enrolled keys also lets you whitelist hashes of particular EFI images. Like your video ROM.
I believe - since this is just software, after all - that we could also do the stronger thing of storing signatures of firmware images you want to trust (signed with your own key instead of Microsoft's, of course), instead of merely hashes. 

The ability to re-root trust is actually an amazingly compelling feature.

- ajax
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Fedora PHP Devel]     [Kernel List]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux