[uefi-secure-boot-guide] master: Update blacklist info. (257e4aa)

sparks at fedoraproject.org sparks at fedoraproject.org
Fri Feb 1 00:54:39 UTC 2013 

Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git

On branch  : master

>---------------------------------------------------------------

commit 257e4aa2f2e92273b1f2c46c3c62746212c4b034
Author: Josh Bressers <josh at bress.net>
Date:   Thu Jan 31 15:06:35 2013 -0600

    Update blacklist info.
    
    Signed-off-by: Eric Christensen <sparks at redhat.com>


>---------------------------------------------------------------

 en-US/Implementation_of_Secure_Boot.xml |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index 47bfd12..7429275 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -99,12 +99,20 @@ that is capable of booting the system.
 		</para>
 		<para>
 		The shim package also contains a blacklist of known bad keys or
-binaries that should not be allowed to boot. Microsoft will provide this
-list to &PROJECT; for inclusion. This may create periodic update to the
+binaries that should not be allowed to boot. Thie blacklist is a file
+called dbx.esl in the shim-signed package. Microsoft will provide this list
+to &PROJECT; for inclusion. This may create periodic update to the
 shim-signed package that do not change the actual shim binary, but will
 update the blacklist to ensure known bad code cannot be executed.
 		</para>
 		<para>
+		The details about the blacklist must come from Microsoft. We
+are not able to update this blacklist ourselves. The data is signed with a
+Microsoft key which will prevent unauthorized updates to this list.
+Microsoft has stated that the blacklist is to be used to prevent binaries
+being used for attacks from executing.
+		</para>
+		<para>
 		In both boot methods, shim, grub2, and the kernel will detect that they
 are started in what UEFI describes as "User mode" with Secure Boot enabled,
 and upon detecting this they will validate the next stage with a

More information about the docs-commits mailing list