User: Password:
|
|
Subscribe / Log in / New account

still a few glitches in the system...

still a few glitches in the system...

Posted Nov 21, 2012 15:12 UTC (Wed) by redden0t8 (guest, #72783)
In reply to: still a few glitches in the system... by khim
Parent article: Bottomley: Adventures in Microsoft UEFI Signing

You can't blacklist the shim, only the key it was signed with. If Microsoft accidentally signed it with (one of) their own key(s), blacklisting it would have the side-effect of also disabling everything else signed with the same key.

What else has Microsoft signed with that key? Could they practically push out updates for those components re-signed with a different key, so as to ensure that blacklisting the original key wouldn't break any Windows 8 systems? What would happen to an end-user's system if the blacklist got updated before those components?

I suppose you could see it as "childish", but I see it as not covering for Microsoft's mistakes on their behalf. They made this mess, I don't feel bad for them if they have to deal with it.


(Log in to post comments)

still a few glitches in the system...

Posted Nov 21, 2012 15:26 UTC (Wed) by jake (editor, #205) [Link]

> You can't blacklist the shim, only the key it was signed with.

As I understand it, you *can* blacklist the shim. The blacklist can either have keys *or* hashes. Put the hash of the shim in the blacklist and MS can still use their key, but that shim no longer boots.

jake


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds