On 2022-04-26 at 10:14, Marc Haber wrote: > On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre > <st...@einval.com> wrote:
>> Alternatively, people can build replacement shim-signed packages >> using their own root of trust if desired. If we had a large enough >> number of users wanting a different root of trust, we could even >> offer our own different shim-signed package to match. > > I would probably prefer to have grub an/or the kernel signed, > avoiding additional code, but maybe having some explanation would > convince me that the shim actually improves things additionally to > adding complexity. My understanding has always been that the point of having a Microsoft-signed shim, rather than having Microsoft sign GRUB or the kernel, is to A: avoid the need for round-trip with Microsoft's signing facilities every time the GRUB or kernel packages are updated, and B: ensure that end-users can still build their own kernels (et cetera) without having to go through the Microsoft signing process, even if their systems are set up to take advantage of the signed shim. (And the point of having Microsoft sign it, rather than using a signing key under the control of e.g. Debian, is that Microsoft's key is already considered valid by the relevant firmware environments - including the ones that can't be told to add another key to the list of valid ones. That avoids having another barrier to entry, in the form of a set of steps at the start of the install process which is going to be different per UEFI designer, and is also going to be complex and unintuitive from the perspective of a non-technical potential new user.) I can't speak to how big of an advantage A is, but B seems to me to be pretty important. If that understanding is not correct, I'd be interested to learn what the actual point of having the shim is. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
