*countable infinities only
ajax at redhat.com
Thu May 31 20:32:13 UTC 2012
On 5/31/12 3:23 PM, Peter Jones wrote:
> On 05/31/2012 03:18 PM, Adam Jackson wrote:
>> Not that I want to discourage multiple signatures - quite the
>> opposite - but could we not install the bootloader after (and based
>> on) looking at the enrolled keys?
> Well, that adds complexity and makes files bigger and more numerous, but it
> could be done. We all know how dangerous files are.
So, having bothered to think about it a bit:
If the firmware can have multiple keys enrolled (and I think it can)
then you wouldn't need to do this: the ISO only has one loader, so you
know what it's signed with a priori, and wouldn't need to conditionalize.
But if it can only have one key enrolled _and_ you want to not trust
Microsoft's keys, you'd need to have switched keys before booting the
boot media anyway, or else booted outside of SB (and then trust that the
install media doesn't root your firmware before installing the loader).
So really the scenario for conditionalizing which (signed variant of the
one) loader we install is: platform has multiple keys enrolled, we
booted signed by Party A, but intend to strip that key out the next time
we boot and carry on signed by Party B from then on. Which doesn't win
you a whole lot besides (having fewer steps involved in) the juicy
satisfaction of banning Windows from running on the machine.
Between that and your invocation of Rule 0 I withdraw the suggestion, I
don't think it wins enough to be worthwhile.
More information about the devel