[uefi-secure-boot-guide] master: Update blacklist info. (257e4aa)
sparks at fedoraproject.org
sparks at fedoraproject.org
Fri Feb 1 00:54:39 UTC 2013
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
>---------------------------------------------------------------
commit 257e4aa2f2e92273b1f2c46c3c62746212c4b034
Author: Josh Bressers <josh at bress.net>
Date: Thu Jan 31 15:06:35 2013 -0600
Update blacklist info.
Signed-off-by: Eric Christensen <sparks at redhat.com>
>---------------------------------------------------------------
en-US/Implementation_of_Secure_Boot.xml | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index 47bfd12..7429275 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -99,12 +99,20 @@ that is capable of booting the system.
</para>
<para>
The shim package also contains a blacklist of known bad keys or
-binaries that should not be allowed to boot. Microsoft will provide this
-list to &PROJECT; for inclusion. This may create periodic update to the
+binaries that should not be allowed to boot. Thie blacklist is a file
+called dbx.esl in the shim-signed package. Microsoft will provide this list
+to &PROJECT; for inclusion. This may create periodic update to the
shim-signed package that do not change the actual shim binary, but will
update the blacklist to ensure known bad code cannot be executed.
</para>
<para>
+ The details about the blacklist must come from Microsoft. We
+are not able to update this blacklist ourselves. The data is signed with a
+Microsoft key which will prevent unauthorized updates to this list.
+Microsoft has stated that the blacklist is to be used to prevent binaries
+being used for attacks from executing.
+ </para>
+ <para>
In both boot methods, shim, grub2, and the kernel will detect that they
are started in what UEFI describes as "User mode" with Secure Boot enabled,
and upon detecting this they will validate the next stage with a
More information about the docs-commits
mailing list