Re: [RFC] Second attempt at kernel secure boot support

From: Matthew Garrett
Date: Sat Nov 03 2012 - 12:37:57 EST

Next message: Matthew Garrett: "Re: [RFC] Second attempt at kernel secure boot support"
Previous message: Eric Paris: "Re: [RFC] Second attempt at kernel secure boot support"
In reply to: Matthew Garrett: "Re: [RFC] Second attempt at kernel secure boot support"
Next in thread: Vivek Goyal: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Nov 03, 2012 at 04:31:52PM +0000, Alan Cox wrote:
> > You're guaranteed to be able
> > to do this on any Windows 8 certified hardware.
>
> Thats not my understanding of the situation.

"17. Mandatory. On non-ARM systems, the platform MUST implement the
ability for a physically present user to select between two Secure Boot
modes in firmware setup: "Custom" and "Standard". Custom Mode allows for
more flexibility as specified in the following:

a. It shall be possible for a physically present user to use the Custom
Mode firmware setup option to modify the contents of the Secure Boot
signature databases and the PK. This may be implemented by simply
providing the option to clear all Secure Boot databases (PK, KEK, db,
dbx), which puts the system into setup mode."

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew Garrett: "Re: [RFC] Second attempt at kernel secure boot support"
Previous message: Eric Paris: "Re: [RFC] Second attempt at kernel secure boot support"
In reply to: Matthew Garrett: "Re: [RFC] Second attempt at kernel secure boot support"
Next in thread: Vivek Goyal: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]