*countable infinities only
pjones at redhat.com
Thu May 31 20:48:30 UTC 2012
On 05/31/2012 04:32 PM, Adam Jackson wrote:
> On 5/31/12 3:23 PM, Peter Jones wrote:
>> On 05/31/2012 03:18 PM, Adam Jackson wrote:
>>> Not that I want to discourage multiple signatures - quite the
>>> opposite - but could we not install the bootloader after (and based
>>> on) looking at the enrolled keys?
>> Well, that adds complexity and makes files bigger and more numerous, but it
>> could be done. We all know how dangerous files are.
> So, having bothered to think about it a bit:
> If the firmware can have multiple keys enrolled (and I think it can) then you
> wouldn't need to do this: the ISO only has one loader, so you know what it's
> signed with a priori, and wouldn't need to conditionalize.
You're correct that DB (the firmware variable that holds the list of okay keys
and hashes) is a list, not a single slot.
More information about the devel