[uefi-secure-boot-guide] master: Add boot CA key info (d240a4d)

sparks at fedoraproject.org sparks at fedoraproject.org
Fri Feb 1 21:46:03 UTC 2013 

Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git

On branch  : master

>---------------------------------------------------------------

commit d240a4da0783d69a208552deb9e015a218ce037d
Author: Josh Bressers <josh at bress.net>
Date:   Thu Jan 31 14:42:33 2013 -0600

    Add boot CA key info


>---------------------------------------------------------------

 en-US/Implementation_of_Secure_Boot.xml |   70 ++++++++++++++++++++++++++++++-
 1 files changed, 69 insertions(+), 1 deletions(-)

diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index 4a52ca0..418ab28 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -18,6 +18,74 @@ There are of course risks having to rely on a third party for this service.
 &PROJECT; is committed to closely watching activity in this space and will
 respond to any new information appropriately.
 		</para>
+		<para>
+		Additionally, we have a Fedora Boot CA which is used to verify the
+integrity of grub2 and the kernel. This key can currently be found in the
+shim source package. The details of the key are:
+		<screen>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2574709492 (0x9976f2f4)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Fedora Secure Boot CA
+        Validity
+            Not Before: Dec  7 16:25:54 2012 GMT
+            Not After : Dec  5 16:25:54 2022 GMT
+        Subject: CN=Fedora Secure Boot CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:f5:f7:52:81:a9:5c:3e:2b:f7:1d:55:f4:5a:
+                    68:84:2d:bc:8b:76:96:85:0d:27:b8:18:a5:cd:c1:
+                    83:b2:8c:27:5d:23:0a:d1:12:0a:75:98:a2:e6:5d:
+                    01:8a:f4:d9:9f:fc:70:bc:c3:c4:17:7b:02:b5:13:
+                    c4:51:92:e0:c0:05:74:b9:2e:3d:24:78:a0:79:73:
+                    94:c0:c2:2b:b2:82:a7:f4:ab:67:4a:22:f3:64:cd:
+                    c3:f9:0c:26:01:bf:1b:d5:3d:39:bf:c9:fa:fb:5e:
+                    52:b9:a4:48:fb:13:bf:87:29:0a:64:ef:21:7b:bc:
+                    1e:16:7b:88:4f:f1:40:2b:d9:22:15:47:4e:84:f6:
+                    24:1c:4d:53:16:5a:b1:29:bb:5e:7d:7f:c0:d4:e2:
+                    d5:79:af:59:73:02:dc:b7:48:bf:ae:2b:70:c1:fa:
+                    74:7f:79:f5:ee:23:d0:03:05:b1:79:18:4f:fd:4f:
+                    2f:e2:63:19:4d:77:ba:c1:2c:8b:b3:d9:05:2e:d9:
+                    d8:b6:51:13:bf:ce:36:67:97:e4:ad:58:56:07:ab:
+                    d0:8c:66:12:49:dc:91:68:b4:c8:ea:dd:9c:c0:81:
+                    c6:91:5b:db:12:78:db:ff:c1:af:08:16:fc:70:13:
+                    97:5b:57:ad:6b:44:98:7e:1f:ec:ed:46:66:95:0f:
+                    05:55
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Authority Information Access: 
+                CA Issuers -
+URI:https://fedoraproject.org/wiki/Features/SecureBoot
+
+            X509v3 Authority Key Identifier: 
+                keyid:FD:E3:25:99:C2:D6:1D:B1:BF:58:07:33:5D:7B:20:E4:CD:96:3B:42
+
+            X509v3 Extended Key Usage: 
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                FD:E3:25:99:C2:D6:1D:B1:BF:58:07:33:5D:7B:20:E4:CD:96:3B:42
+    Signature Algorithm: sha256WithRSAEncryption
+         37:77:f0:3a:41:a2:1c:9f:71:3b:d6:9b:95:b5:15:df:4a:b6:
+         f4:d1:51:ba:0d:04:da:9c:b2:23:f0:f3:34:59:8d:b8:d4:9a:
+         75:74:65:80:17:61:3a:c1:96:7f:a7:c1:2b:d3:1a:d6:60:3c:
+         71:3a:a4:c4:e3:39:03:02:15:12:08:1f:4e:cd:97:50:f8:ff:
+         50:cc:b6:3e:03:7d:7a:e7:82:7a:c2:67:be:c9:0e:11:0f:16:
+         2e:1e:a9:f2:6e:fe:04:bd:ea:9e:f4:a9:b3:d9:d4:61:57:08:
+         87:c4:98:d8:a2:99:64:de:15:54:8d:57:79:14:1f:fa:0d:4d:
+         6b:cd:98:35:f5:0c:06:bd:f3:31:d6:fe:05:1f:60:90:b6:1e:
+         10:f7:24:e0:3c:f6:33:50:cd:44:c2:71:18:51:bd:18:31:81:
+         1e:32:e1:e6:9f:f9:9c:02:53:b4:e5:6a:41:d6:65:b4:2e:f1:
+         cf:b3:b8:82:b0:a3:96:e2:24:d8:83:ae:06:5b:b3:24:74:4d:
+         d1:a4:0a:1d:0a:32:1b:75:a2:96:d1:0e:3e:e1:30:c3:18:e8:
+         cb:53:c4:0b:00:ad:7e:ad:c8:49:41:ef:97:69:bd:13:5f:ef:
+         ef:3c:da:60:05:d8:92:fc:da:6a:ea:48:3f:0e:3e:73:77:fd:
+         a6:89:e9:3f
+		</screen>
+		</para>
 	</section>
 	<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Shim">
 		<title>The Shim</title>
@@ -29,7 +97,7 @@ shim-signed package that do not change the actual shim binary, but will
 update the blacklist to ensure known bad code cannot be executed.
 		</para>
 		<para>
-		In both methods, shim, grub2, and the kernel will detect that they
+		In both boot methods, shim, grub2, and the kernel will detect that they
 are started in what UEFI describes as "User mode" with Secure Boot enabled,
 and upon detecting this they will validate the next stage with a
 &PRODUCT;-specific cryptographic public key before starting it. The validation

More information about the docs-commits mailing list