On Tue, May 21, 2013 at 10:52:27AM +0200, Laszlo Ersek wrote: > On 05/16/13 08:04, Gary Ching-Pang Lin wrote: > > On Wed, May 15, 2013 at 03:22:53PM +0200, Laszlo Ersek wrote: > > >> [...] I failed to secure boot Fedora 19 > >> <http://www.linux-kvm.org/page/OVMF#Confirmation_of_secure_boot_in_Fedora_18>, > >> which I guess might still relate to this thread (also started by you): > >> <http://thread.gmane.org/gmane.comp.bios.tianocore.devel/2329>. > > > I think so. The git head OVMF (after applying your patch) works well with > > the > > lastest SLE 11 SP3 boot loader. > > Actually it also works with Fedora 19 (unreleased for the time being) if > > (a) the "shim" utility is signed with "pesign-0.104-1.fc19" > <https://koji.fedoraproject.org/koji/buildinfo?buildID=419603>, and > > (b) the following key enrollment scheme is used: > > RedHatTestCA -> PK > <nothing> -> KEK > RedHatTestCA -> DB > > rather than the older / original > > RedHatTestCA -> PK > RedHatTestCertificate -> KEK > RedHatTestCertificate -> DB > > The enrollment change in (b) is required because of the verification > policy change in SVN r14141 > <https://github.com/tianocore/edk2/commit/6de4c35f#L0L1014>. > > It proved quite a challenge for me to track (b) down > <https://bugzilla.redhat.com/show_bug.cgi?id=963361>, but ultimately new > pesign does work! > The old pesign only inserted the signer certificate, so the signer certificate can be enrolled in db and used to verify images.
However, the newer pesign (I forgot the commit number) also inserted the root CA, so the root CA has to be in db, so the firmware can start the verification from the root CA. Gary Lin ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
