On Fri, Nov 24, 2017 at 02:46:14PM +0000, Julien Cristau wrote: >On 11/23/2017 04:03 PM, Steve McIntyre wrote: >>>> Who can update shim? >>>> -------------------- >>>> >>>> Who can update shim(-signed)? >> >> In theory, anyone. In practice, only a small number of people have >> access to the key material needed to ask for a new signature for a new >> shim binary. Tollef was setting up (has set up?) m-of-n sharding for >> that key material. >> >Anyone can update shim, but of course it won't do much good on its own. >Getting it signed requires uploading the binary, which requires signing >it with an EV cert that lives on an HSM, so that won't be sharded, and >means a shim-signed upload is gated on the person in whose possession >the HSM lives. (It's also not a huge deal because we can get a >replacement from a CA if we need to.) > >shim embeds a CA cert which issues the actual code signing cert for our >grub/kernel/... binaries. We're going to need sharding for that one. ACK, thanks for clarifying - I was mis-remembering the exact setup for those keys. -- Steve McIntyre, Cambridge, UK. steve@einval.com Dance like no one's watching. Encrypt like everyone is. - @torproject
Attachment:
signature.asc
Description: PGP signature