Hi On Thu, Mar 12, 2015 at 2:06 PM, Andrei Borzenkov <arvidj...@gmail.com> wrote: > On Thu, Mar 12, 2015 at 1:30 PM, David Herrmann <dh.herrm...@gmail.com> wrote: >>>> With systemd-boot, there will be no config to sign: >>>> >>>> https://harald.hoyer.xyz/2015/02/25/single-uefi-executable-for-kernelinitrdcmdline/ >>>> >>> >>> How exactly putting files in a container solves the problem that they >>> are not signed? This is not quite obvious from blog post. >> >> The config/etc. snippets are now part of the _signed_ EFI binary, >> which is always verified by the firmware. Therefore, we don't need to >> verify the other snippets separately. > > Where signing key comes from? Is this key generated by user on end > system and enrolled in firmware?
This is the key used by EFI secure boot. We don't change the semantics in any way. (yes, the key can be provided by the machine owner and stored in firmware, please see EFI specs for information) Thanks David _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel