[uefi-secure-boot-guide] master: Made some editing and spelling changes (ff4436b)
sparks at fedoraproject.org
sparks at fedoraproject.org
Fri Feb 1 23:41:26 UTC 2013
Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git
On branch : master
>---------------------------------------------------------------
commit ff4436b9a7e08ffe800a1cc971157234e8bdbd03
Author: Eric Christensen <sparks at fedoraproject.org>
Date: Fri Feb 1 17:45:52 2013 -0500
Made some editing and spelling changes
>---------------------------------------------------------------
en-US/Implementation_of_Secure_Boot.xml | 28 ++++++++++++++--------------
1 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index 4998d6c..492065d 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -41,8 +41,8 @@ during build. This key is not saved, a new key is used with each kernel
build.
</para>
<para>
- The Fedora Boot CA which is used to verify the
-integrity of GRUB and the kernel. This key can currently be found in the
+ The Fedora Boot CA is used to verify the
+integrity of GRUB and the kernel. The public key can currently be found in the
shim source package. The details of the key are:
<screen>
Certificate:
@@ -110,20 +110,20 @@ URI:https://fedoraproject.org/wiki/Features/SecureBoot
</para>
</section>
<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Shim">
- <title>The Shim</title>
+ <title>Shim</title>
<para>
- In &PRODUCT; there are two packages that make up the shim. The
+ In &PRODUCT; there are two packages that make up shim. The
package named "shim" is the result of compiling the source code that makes
-up the shim. This package will not boot the system as it is not signed. The
+up shim. This package will not boot the system as it is not signed. The
results of building the shim package are signed, then incorporated into the
-shim-signed package. The shim-signed package contians the signed binary
+shim-signed package. The shim-signed package contains the signed binary
that is capable of booting the system.
</para>
<para>
The shim package also contains a blacklist of known bad keys or
binaries that should not be allowed to boot. Thie blacklist is a file
called dbx.esl in the shim-signed package. Microsoft will provide this list
-to &PROJECT; for inclusion. This may create periodic update to the
+to &PROJECT; for inclusion. This may create periodic updates to the
shim-signed package that do not change the actual shim binary, but will
update the blacklist to ensure known bad code cannot be executed.
</para>
@@ -138,7 +138,7 @@ being used for attacks from executing.
In both boot methods, shim, GRUB, and the kernel will detect that they
are started in what UEFI describes as "User mode" with Secure Boot enabled,
and upon detecting this they will validate the next stage with a
-&PRODUCT;-specific cryptographic public key before starting it. The validation
+&PRODUCT;-specific cryptographic public key before starting. The validation
is done via shim for GRUB, and GRUB calls back to shim to validate the
kernel as well. Once the kernel is booted, it will also detect that it is
in Secure Boot mode, which will cause several things to be true:
@@ -148,6 +148,11 @@ in Secure Boot mode, which will cause several things to be true:
<member>it will refuse any operations from userland which cause userland-defined DMA.</member>
</simplelist>
</para>
+ <note>
+ <title>Note</title>
+ <para>Other distributions have chosen to not require signed kernel modules in their Secure Boot implementation. Fedora believes that to fully support Secure Boot this is required. We are working to limit the impacts of this while ensuring that untrusted module code is not allowed to execute.
+ </para>
+ </note>
</section>
<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Restrictions">
<title>Restrictions</title>
@@ -163,14 +168,9 @@ in Secure Boot mode, which will cause several things to be true:
<para>
In future iterations of Secure Boot support the above may also be
possible, however secure implementations were not feasible in the Fedora 18
-timeframe. If you require support of any of these featurs, Secure Boot must
+timeframe. If you require support of any of these features, Secure Boot must
be disabled.
</para>
- <note>
- <title>Note</title>
- <para>Other distributions have chosen to not require signed kernel modules in their Secure Boot implementation. Fedora believes that to fully support Secure Boot this is required. We are working to limit the impacts of this while ensuring that untrusted module code is not allowed to execute.
- </para>
- </note>
<important>
<title>Important</title>
<para>
More information about the docs-commits
mailing list