[ Trimming some quoting! ] On Tue, Jun 04, 2019 at 11:17:09AM -0400, Francois Ozog wrote: >On Tue, 4 Jun 2019 at 10:57, Ard Biesheuvel <[email protected]> >>> >> Yes, that makes sense. But the problem is that UEFI secure boot does not >> support this model. An image is considered valid if it authenticates >> against any of the keys in db. And any key in KEK can sign updates to db >> and dbx. And today's current practice is to include Microsoft keys in both >> KEK and db. >> >> I have argued time and time again that this is entirely broken as a >> security model. Any db update that Microsoft has ever signed can be applied >> to my brand new arm64 system (unless it has been blacklisted explicitly, >> and my vendor has bothered to ship with an up to date dbt) >> >> I am perfectly happen to reopen that debate as well, by the way :-) >> >Is it correct to say that Msft could revoke selective keys and prevent the >boot of selected devices? >If true, in the current geopolitical context, I would assume this is not >acceptable... and distros may not have the final word here as it may be >regulatory costrainst or customer requirement.
Technically yes, but actually updating the revocation and blacklists is quite rare. It would be up to the user (or some user-enabled software) to take the updates. Cheers, -- Steve McIntyre [email protected] <http://www.linaro.org/> Linaro.org | Open source software for ARM SoCs _______________________________________________ boot-architecture mailing list [email protected] https://lists.linaro.org/mailman/listinfo/boot-architecture
