On Mon, Dec 10, 2012 at 8:36 PM, Greg KH <gre...@gentoo.org> wrote: > Matthew's frontend "shim" code is nice and tiny, but the one I am > referring to provides the ability to enroll your own keys in the BIOS, > which shim does not.
I just tried shim in OVMF, and it provides an interface to enroll keys / signatures. It works as advertised, even after enrolling “Microsoft Corporation UEFI CA 2011” certificate into UEFI (instead of shim.efi hash), which is supposedly trusted by vendors, but the keys and signatures are only visible to shim — as I understand, it keeps them in authenticated variables. I don't think the difference matters much to the user. By the way, shim's interface is not much prettier than the one provided by OVMF — I am a bit disappointed. :) -- Maxim Kammerer Liberté Linux: http://dee.su/liberte