Re: [CentOS] Boot failed on latest CentOS 7 update

On Sun, Aug 2, 2020 at 1:01 PM Phil Perry pperry@elrepo.org wrote:

I believe Microsoft signs the shim which then becomes the trusted authority and embeds RH (or CentOS) signing cert, so (I believe) every release of the shim needs to be signed by Microsoft. So it's not quite as efficient as MS signing a RH/CentOS CA key, but is not far off.

One of the things that bugs me about PKI trust chains like this, what happens if the unthinkable happens, and Microsoft's RootCA gets compromised and has to be revoked... does that mean every single piece of UEFI hardware out there needs a BIOS upgrade? and don't UEFI bios updates have to be signed too?