[uefi-secure-boot-guide] master: Add notes for each key. (d64b332)

sparks at fedoraproject.org sparks at fedoraproject.org
Fri Feb 1 02:22:22 UTC 2013 

Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git

On branch  : master

>---------------------------------------------------------------

commit d64b3329c05a6b6f68d59c786684deb4cad79a3e
Author: Josh Bressers <josh at bress.net>
Date:   Thu Jan 31 16:44:58 2013 -0600

    Add notes for each key.
    
    Signed-off-by: Eric Christensen <sparks at redhat.com>


>---------------------------------------------------------------

 en-US/Implementation_of_Secure_Boot.xml |   24 +++++++++++++++++++++++-
 1 files changed, 23 insertions(+), 1 deletions(-)

diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index 7429275..06e2463 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -19,7 +19,29 @@ There are of course risks having to rely on a third party for this service.
 respond to any new information appropriately.
 		</para>
 		<para>
-		Additionally, we have a Fedora Boot CA which is used to verify the
+		The key usage in the &PRODUCT; implementation can be confusing due
+to its complexity. Here is how the various components are signed.
+		</para>
+		<para>
+		Shim: This is signed by the UEFI signing service. We do not have
+control over this key. The shim contains the Fedora Boot CA public key.
+		</para>
+		<para>
+		Grub2: This is signed by the "Fedora Boot Signer" key, which chains
+off the Fedora Boot CA key. Grub2 doesn't contain any keys, it calls into
+shim for its verification.
+		</para>
+		<para>
+		Kernel: This is also signed by the Fedora Boot Signer. The kernel
+contains the public key used to sign kerenl modules.
+		</para>
+		<para>
+		Kernel Modules: These are signed with a private key generated
+during build. This key is not saved, a new key is used with each Kernel
+build.
+		</para>
+		<para>
+		The Fedora Boot CA which is used to verify the
 integrity of grub2 and the kernel. This key can currently be found in the
 shim source package. The details of the key are:
 		<screen>

More information about the docs-commits mailing list