On Thu, Jun 07, 2012 at 05:26:54PM +0000, Jim Henderson wrote:
On Thu, 07 Jun 2012 13:17:41 -0400, Andrew Joakimsen wrote:
This would kind of defeat the purpose... Then anyone could take this bootloader and boot everything.
It will get the certificate revoked quite fast (although I do not how they do it).
So wouldn't the certificate be revoked if we put it in the OBS and SuSE Studio and let anyone sign their stuff?
If you're referring to the idea I suggested, I wasn't suggesting that a single certificate be used for all of OBS and Studio, but rather that there be a CA server with a trusted chain back to Verisign, and that upon request, Studio and OBS could issue a unique certificate with a valid chain of trust back to Verisign that could be revoked by OBS/Studio if it were abused in some way.
But that assumes that CRLs could be used by UEFI, and it's not clear to me that they could be - since it's implemented in hardware and updating the CRL would require Internet connectivity.
As far as I know, uefi defined "dbx" variable to hold those blacklisted certications/hashes which serves similar purpose to CRL IMHO. However in order to write new variables to dbx (read have no restrictions) that variable has to be signed with KEK_priv and firmware would use KEK_pub (certificate) to verify the signature. Only those variables that pass the authentication could be allowed to write. In UEFI specification such variables are classed as "authenticated variable" and is decribed in Variable Serivces in Chapter 7.2 of UEFI spec. That means you couldn't update dbx unless firmware enrolled your key, which implies only microsoft could do that for now since it's the only OSV that has it's key in the firmware. Regards, Michael
Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org