still a few glitches in the system... [LWN.net]

still a few glitches in the system...

Posted Nov 20, 2012 22:42 UTC (Tue) by khim (subscriber, #9252)
In reply to: still a few glitches in the system... by redden0t8
Parent article: Bottomley: Adventures in Microsoft UEFI Signing

Forget enterprising crackers... too bad he didn't distribute the Microsoft-signed shim before he was told not too. Once it's out on the internet, you can't ever take it back.

You can't ever take the [private] key back, but you most certainly can blacklist the shim thus is the end such childish behavior will just lead to troubles.

to post comments

still a few glitches in the system...

Posted Nov 21, 2012 15:12 UTC (Wed) by redden0t8 (guest, #72783) [Link] (1 responses)

You can't blacklist the shim, only the key it was signed with. If Microsoft accidentally signed it with (one of) their own key(s), blacklisting it would have the side-effect of also disabling everything else signed with the same key.

What else has Microsoft signed with that key? Could they practically push out updates for those components re-signed with a different key, so as to ensure that blacklisting the original key wouldn't break any Windows 8 systems? What would happen to an end-user's system if the blacklist got updated before those components?

I suppose you could see it as "childish", but I see it as not covering for Microsoft's mistakes on their behalf. They made this mess, I don't feel bad for them if they have to deal with it.

still a few glitches in the system...

Posted Nov 21, 2012 15:26 UTC (Wed) by jake (editor, #205) [Link]

> You can't blacklist the shim, only the key it was signed with.

As I understand it, you *can* blacklist the shim. The blacklist can either have keys *or* hashes. Put the hash of the shim in the blacklist and MS can still use their key, but that shim no longer boots.

jake