Hello Miles,
Miles Bader <miles@gnu.org> wrote:
> Or is entering a new key a "manual" process ("type in the 50 hex digit
> key")?
Something like that, yes. Either via an already-signed update at
runtime or manually at something like the current BIOS interfaces.
> Can there be multiple keys (I vaguely recall the article saying there
> could only be one key [at MS's insistence]...but not sure if I really
> understood what it was saying)?
At the moment, only one key can be used to _sign_ software/drivers.
There can be more than one key on your computer to verify these
signatures.
That is, a driver A can be only be signed by one entity (1) and
driver B can only be signed by 2, but if you have both the public
keys of 1 and 2 in your UEFI keystore, you can load driver A and
driver B. Of course, it is also possible to distribute variants A'
and A'' signed by 2 and 3.
Best regards,
Claudius
--
I tried the clone syscall on me, but it didn't work.
-- Mike Neuffer trying to fix a serious time problem
http://chubig.net telnet nightfall.org 4242
Attachment:
signature.asc
Description: PGP signature