*countable infinities only

Scott Schmit i.grok at comcast.net
Fri Jun 1 22:32:05 UTC 2012

On Fri, Jun 01, 2012 at 09:52:20AM +0300, Nicu Buculei wrote:
> On 05/31/2012 05:13 PM, Chris Adams wrote:
> >
> >Please don't spread FUD like this.  You are wrong for a couple of
> >reasons:
> >
> >- Secure boot is required to be able to be disabled on x86 (the only
> >   platform Fedora will support it).
> >
> >- Users can generate their own keys, enroll them in the secure boot
> >   firmware, and use those keys to sign their kernels.
> I am not sure I fully understand the technical part about UEFI so
> please make it clear for me: I can generate my own keys, enroll them
> in the secure boot firmware and then *continue* using the machine in
> a *dual boot* with Windows 8?

Yes, as long as you don't remove the MS key.  If you do, Windows won't
boot (and neither will Fedora until you sign it with your key).

> The presence on my own boot keys will make Windows 8 unbootable on
> that machine or not?

The hardware is not MS-centric -- it will boot using any trusted key
without prejudice.

I doubt that Windows will refuse to boot just because other trusted keys
are present.  I don't know enough about the interface between the secure
boot firmware and OS to know if the OS can even tell what trusted keys
are available.  I know that the OS can't update the trusted key set
itself -- that must be done by the user via the firmware directly.

The OS can update the blacklists without the user's help, however (but
the update must be signed with a trusted key).

Scott Schmit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4138 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120601/48ff344a/attachment.bin>

More information about the devel mailing list