*countable infinities only

Adam Jackson ajax at redhat.com
Thu May 31 20:32:13 UTC 2012

On 5/31/12 3:23 PM, Peter Jones wrote:
> On 05/31/2012 03:18 PM, Adam Jackson wrote:
>> Not that I want to discourage multiple signatures - quite the
>> opposite - but could we not install the bootloader after (and based
>> on) looking at the enrolled keys?
> Well, that adds complexity and makes files bigger and more numerous, but it
> could be done. We all know how dangerous files are.

So, having bothered to think about it a bit:

If the firmware can have multiple keys enrolled (and I think it can) 
then you wouldn't need to do this: the ISO only has one loader, so you 
know what it's signed with a priori, and wouldn't need to conditionalize.

But if it can only have one key enrolled _and_ you want to not trust 
Microsoft's keys, you'd need to have switched keys before booting the 
boot media anyway, or else booted outside of SB (and then trust that the 
install media doesn't root your firmware before installing the loader).

So really the scenario for conditionalizing which (signed variant of the 
one) loader we install is: platform has multiple keys enrolled, we 
booted signed by Party A, but intend to strip that key out the next time 
we boot and carry on signed by Party B from then on.  Which doesn't win 
you a whole lot besides (having fewer steps involved in) the juicy 
satisfaction of banning Windows from running on the machine.

Between that and your invocation of Rule 0 I withdraw the suggestion, I 
don't think it wins enough to be worthwhile.

- ajax

More information about the devel mailing list