| |||||||||||||
Implementing UEFI Secure Boot in FedoraImplementing UEFI Secure Boot in FedoraPosted May 31, 2012 17:02 UTC (Thu) by raven667 (subscriber, #5198)Parent article: Implementing UEFI Secure Boot in Fedora
I too wish that they would also have used their influence to get the Fedora key installed by default in some systems, in addition to signing a boot loader with the MS key. My concern is that if there aren't any non-MS keys installed in UEFI by default from the beginning that the ability to add and manage those keys will atrophy, break and become unsupported. There is a cheap signing service now but that could be pulled at any time and the existing keys blacklisted leaving Fedora and others out in the cold without a plan B if the ability to boot with secure boot off or with a non-MS key becomes broken in the future.
(Log in to post comments)
Implementing UEFI Secure Boot in Fedora Posted May 31, 2012 17:30 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
Binaries can only be signed with a single key. There's no way to produce install media that will work with two different signing keys.
Implementing UEFI Secure Boot in Fedora Posted May 31, 2012 21:20 UTC (Thu) by raven667 (subscriber, #5198) [Link]
I think I understand the issues around that and how it commits you to using the one key you can rely on, at least to install, but does that mean you shouldn't pursue getting your own key in there as well? Once a vendor does the work of pre-loading keys they will likely ship on all subsequent devices, that should lead to increasingly complete hardware coverage over the next 5 years or so. It might also eventually lead to the couple of best funded organizations who can get their keys pre-loaded becoming competitive peer authorities creating a marketplace that is not so critically dependent on the continued benevolence of one vendor.
|
|||||||||||||