Re: questions about UEFI-Secure Boot
On 11/23/2017 04:03 PM, Steve McIntyre wrote:
>>> Who can update shim?
>>> --------------------
>>>
>>> Who can update shim(-signed)?
>
> In theory, anyone. In practice, only a small number of people have
> access to the key material needed to ask for a new signature for a new
> shim binary. Tollef was setting up (has set up?) m-of-n sharding for
> that key material.
>
Anyone can update shim, but of course it won't do much good on its own.
Getting it signed requires uploading the binary, which requires signing
it with an EV cert that lives on an HSM, so that won't be sharded, and
means a shim-signed upload is gated on the person in whose possession
the HSM lives. (It's also not a huge deal because we can get a
replacement from a CA if we need to.)
shim embeds a CA cert which issues the actual code signing cert for our
grub/kernel/... binaries. We're going to need sharding for that one.
Cheers,
Julien
Reply to: