On Sun, Dec 09, 2012 at 08:08:01PM -0500, Rich Freeman wrote: > On Sun, Dec 9, 2012 at 7:57 PM, Diego Elio Pettenò > <flamee...@flameeyes.eu> wrote: > > On 10/12/2012 01:52, Rich Freeman wrote: > >> The shim might work, but I'd hardly call it "secure boot" if every > >> motherboard manufacturer and OEM in the world has the ability to sign > >> things, even if MS vouched for them all. Even if I installed Windows > >> I'd want the ability to re-sign it with a key I controlled and tell > >> the firmware to refuse to boot the MS key. > > > > I don't think it's Gentoo's place to do that kind of stuff especially > > since I think you're in dreamland if you think that's achievable in > > _every_ case. It probably works in some cases, though. > > Any Windows-logo-compliant firmware has to support changing the keys.
Not necessarily, as I'm finding out with real hardware. My only options on the box I have is to either zero out all keys, or specifically tell the BIOS what binary to run (doesn't need to be signed, and can not be changed after telling the BIOS to use it.) I'm working with others to see if we can programatically add keys, which we should, and if so we will offer the code up to do so (it's published already, we are working on getting it signed by the needed Microsoft keys right now.) thanks, greg k-h
