*countable infinities only
ajax at redhat.com
Fri Jun 1 19:45:16 UTC 2012
On 6/1/12 12:16 PM, Kevin Kofler wrote:
> Adam Jackson wrote:
>> False. Quoting from Matthew's original post:
>> "A system in custom mode should allow you to delete all existing keys
>> and replace them with your own. After that it's just a matter of
>> re-signing the Fedora bootloader (like I said, we'll be providing tools
>> and documentation for that) and you'll have a computer that will boot
>> Fedora but which will refuse to boot any Microsoft code."
> Removing the M$ key is not viable because the firmware on some peripheral
> hardware will be signed only with the M$ key.
No, that's not actually a problem. The same process that lets you
modify the list of enrolled keys also lets you whitelist hashes of
particular EFI images. Like your video ROM.
I believe - since this is just software, after all - that we could also
do the stronger thing of storing signatures of firmware images you want
to trust (signed with your own key instead of Microsoft's, of course),
instead of merely hashes.
The ability to re-root trust is actually an amazingly compelling feature.
More information about the devel