[uefi-secure-boot-guide] master: Update notes about shim (64c0d9f)

[sparks at fedoraproject.org]

Repository : http://git.fedorahosted.org/git/?p=docs/uefi-secure-boot-guide.git

On branch  : master

>---------------------------------------------------------------

commit 64c0d9fd1414d649640754e915144dfffea130c7
Author: Josh Bressers <josh at bress.net>
Date:   Thu Feb 7 14:16:13 2013 -0600

    Update notes about shim
    
    Signed-off-by: Eric Christensen <sparks at fedoraproject.org>


>---------------------------------------------------------------

 en-US/Implementation_of_Secure_Boot.xml |   35 ++++++++++++++++++++++++------
 1 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/en-US/Implementation_of_Secure_Boot.xml b/en-US/Implementation_of_Secure_Boot.xml
index a908e1c..2acfc98 100644
--- a/en-US/Implementation_of_Secure_Boot.xml
+++ b/en-US/Implementation_of_Secure_Boot.xml
@@ -124,6 +124,13 @@ URI:https://fedoraproject.org/wiki/Features/SecureBoot
 	<section id="sect-UEFI_Secure_Boot_Guide-Implementation_of_UEFI_Secure_Boot-Shim">
 		<title>Shim</title>
 		<para>
+			Shim is a signed binary that is used to boot the system. Secure
+Boot requires a binary to be signed by Microsoft, which helps create a
+chain of trust from the BIOS to the operating system. In Fedora the signed
+binary is named shim. Development of shim happens on github here:
+https://github.com/mjg59/shim
+		</para>
+		<para>
 		<indexterm><primary>shim</primary><secondary>explanation</secondary></indexterm>
 			In &PRODUCT; there are two packages that make up shim. The
 package named "shim" is the result of compiling the source code that makes
@@ -134,17 +141,31 @@ that is capable of booting the system.
 		</para>
 		<para>
 		The shim package also contains a <indexterm><primary>Secure Boot</primary><secondary>blacklist</secondary></indexterm>blacklist of known bad keys or
-binaries that should not be allowed to boot. Thie blacklist is a file
-called dbx.esl in the shim-signed package. Microsoft will provide this list
-to &PROJECT; for inclusion. This may create periodic updates to the
+binaries that should not be allowed to boot. The blacklist is a file called
+dbx.esl in the shim package. This blacklist is currently embedded into the
+shim binary at build time. It exists to prevent a known exploitable version
+of grub from being booted. We hope to see a future update place this
+blacklist into UEFI memory. In its current form, updating the blacklist
+will not provide additional security as you could downgrade the shim
+package to avoid updating the blacklist. If the blacklist is stored in the
+BIOS, a blacklist update would survive a shim downgrade.
+		</para>
+		<para>
+Additionally there is a blacklist which Microsoft maintains, signs, and is
+stored in the BIOS for checking. Microsoft will provide this list to
+&PROJECT; for inclusion. This may create periodic updates to the
 shim-signed package that do not change the actual shim binary, but will
-update the blacklist to ensure known bad code cannot be executed.
+update the blacklist to ensure known bad code cannot be executed. This
+blacklist file does not currently exist as nothing has been blacklisted
+yet. It is likely we will attempt to put this blacklist into its own
+package to avoid having to update the shim-signed package.
 		</para>
 		<para>
-		The details about the blacklist must come from Microsoft. We
-are not able to update this blacklist ourselves. The data is signed with a
+		The details about this blacklist must come from Microsoft. We are
+not able to update this blacklist ourselves. The data is signed with a
 Microsoft key which will prevent unauthorized updates to this list.
-Microsoft has stated that the blacklist is to be used to prevent the computer from booting compromised keys and known vulnerabilities.
+Microsoft has suggested that the blacklist is to be used to prevent the
+computer from booting compromised keys and known vulnerabilities.
 		</para>
 		<para>
 		In both boot methods, shim, GRUB, and the kernel will detect that they