https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c7 --- Comment #7 from Michael Chang <mchang@suse.com> 2013-09-27 07:14:04 UTC --- (In reply to comment #6)
Current grub2 supports (mandatory) signature verification. Minor details are key management and what to do with volatile files (grub.cfg, grubenv and similar) :) But this better is discussed in feature request.
IT be a rather big topic. :) I can imagine two of them here .. :) 1. shim might have to offer MOKx to blacklist MOK or hash of binary, therefore if we fix or improve any vulnerability in bootloader (like this case), then it's possible to have a new cert and blacklist the old one (there's seems to be progress or directing on this in upstream shim ..). 2. grub2 is possible to load signed module and signed grubenv file. Well, as long as grub2 only accept gpg signing keys and tools I don't know how can it be integrated to MOK keyrings and probably potential license issues on different crypto implementations etc (openssl/gpg/nss). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.