On Wed, Jan 09, 2013 at 03:39:42PM +0100, Florian Weimer wrote:
> On 01/09/2013 03:26 PM, Peter Jones wrote:
>
> >You've misunderstood the mechanism at work. dhowell's current kernel
> >patch set allows you to add keys which are wrapped (in a well defined
> >way) in a pecoff binary that's signed by already trusted keys. This is
> >what I'm referring to above when I say "get your keys signed by ...".
>
> Oh dear, what a horrible kludge. But I admit that it might work,
> assuming that Microsoft signs that nonsensical (from their
> perspective) key-wrapping binary.
It's not non-sensical. It's "Hello, World." We haven't actually tried
to get such a thing signed yet, but it's well within their guidelines.
> >>I don't think relying on Secure Boot is the best way to secure the
> >>installation path. Theoretically, it is feasible, but it will
> >>always be brittle.
> >
> >Citation needed.
>
> See my direct follow-up to Jaroslav's initial message.
You mean the one you sent directly to me? It didn't demonstrate
anything of the sort you're claiming. As to a direct response to
Jaroslav on the list, I see no such post.
--
Peter
--
devel mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/devel
