On Tue, Jul 31, 2012 at 02:40:25PM -0600, Paul Wise wrote: > > Here's a summary of what we discussed in the EFI BoF [1] last week > > (9th July). Thanks to the awesome efforts of the DebConf video team, > > the video of the session is already online [2] in case you missed > > it. I've also attached the Gobby notes that were taken during the > > session. Again, thanks to the people who took part - we had a useful > > discussion. > One thing I don't think anyone has discussed yet is how key > transitions will work, if a distro-specific key is compromised, is the > OS able to update the SB keys? Any OS will be able to push signed updates to the DB and DBX variables, adding new trusted keys or revoking keys / individual binaries. However, the only signed updates that will be accepted by the firmware are those signed by keys already trusted /by the firmware/ (i.e., those present in the kEK). This means that in general, if you have a compromised key or compromised binary, you need to go back to the CA (i.e., whoever is providing a trust path back to KEK for you) and ask them to issue a revocation. > > Any one binary can only be signed by one key. > Would it be possible/useful to circumvent this limitation by making > copies of the binary and then signing them? It's certainly straightforward to take copies of a single binary and have it signed by multiple keys. It's even straightforward to remove one signature from a binary and replace it with another. What's not straightforward is to provide a single boot image that can reasonably make use of such things, since UEFI boots by looking for a single well-known path to boot from. FWIW the UEFI working group seems to consider it an oversight that only one signature is allowed per binary, and work is afoot to correct this. But as with other issues, it's probably too late to make a difference for the first iteration of hardware. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature