On Sat, Jun 2, 2012 at 3:51 PM, pk <pete...@coolmail.se> wrote: > On 2012-06-02 15:12, Florian Philipp wrote: > >> According to [1] it is SHA-256 and RSA-2048. If I understand it >> correctly, there are means to blacklist compromised keys. That's >> why > > Just curious, how is a "compromised" key supposed to be blacklisted? > Does the bios contact Microsoft, or is it through some other mean (via > OS which means it needs to have some sort of service to check for this > blacklist)? Smells like trouble to me... :-/
I expect the chief mechanism is at the manufacturer's end; blacklisted keys get included on shipment. It's also probable that the OS kernel can tell the UEFI BIOS about new keys to blacklist. I expect that'll be a recurring thing in the Monthly batch of security updates Microsoft puts out. (Makes sense, really; if malware is using a key, blacklist that key.) Someone linked to some absolutely terrible stuff being built into Intel's Ivy Bridge...it's plausible it will be possible to deploy blacklist key updates over the network within a couple years. -- :wq
