Need more info: UEFI Secure Boot in Fedora [Long]

Alan Cox alan at
Fri Jun 1 08:39:28 UTC 2012

> for the virtual machines and continue the chain. Note that you're 
> already half-way there with KVM, since most of its code runs in the 
> kernel itself.

Not really. Chunks of kvm run in userspace so you'll now have to
sign libc, qemu, every file qemu uses, , ...

This is a general problem with signed systems, even ones when you own
the key. The amount you need to sign explodes rapidly in the real world,
and it keeps exploding further as people poke holes in your system in the
real world. You get all sots of problems just trying to work out and
decide if something is a config file or not and if it should be signed.


More information about the users mailing list