[arch-general] UEFI secure boot

Genes MailLists lists at sapience.com
Tue Jun 5 12:05:12 EDT 2012

On 06/05/2012 11:25 AM, Calvin Morrison wrote:

> Just wondering - why does it have to be Microsoft's Key to used? Could
> there be an Arch Linux provided key that would allow a Secure Boot?
> Thanks
> calvin

  To be a bit more precise - the key belongs to the owner as always.
It's the signing of the key by a Certificate Authority that is the
second step - it is expensive to create a CA (as discussed in mjg's
blog) - Microsoft offers a UEFI CA service to sign your key. Fedora
plans to have their Fedora key signed by the UEFI CA - so no further
change to the firmware is needed.

  They also are putting some tools together to help users to self sign
their own key - which is used it to sign the boot loader (etc) and also
to store the CA key in the firmware so the signed bootloader will be
approved by Secure Boot using your own private CA.

  In order for there to be an Arch provided key - it would need either
to be signed by the UEFI CA or self signed with the CA key stored in
firmware ... or something like that.

   I don't yet know how MS UEFI CA key updates get installed into the
firmware? I suppose it will be done much like a bios update.


More information about the arch-general mailing list