On 10/26/2016 10:35 PM, Theodore Ts'o wrote: > In the case of firmware which is flashed into non-volatile memory, I > would guess that the it probably wouldn't necessarliy use the > Microsoft signing key at all. (For example, for a long time most > printers were not bothering to do any digital signature checking at > all before installing a firmware update.) I think this is pretty much untrue, bugs non-withstanding. If the machine is booting in Secure Boot mode, the UEFI firmware is supposed to validate Option ROMs found on addon cards (PXE boot ROM, VGA BIOS, RAID adapter ROM) if executed on the main CPU. The printer example is not particularly relevant to that. Kind regards Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature