On 02/08/2020 19:54, John Pierce wrote:
On Sun, Aug 2, 2020 at 11:45 AM Phil Perry pperry@elrepo.org wrote:
On 02/08/2020 16:26, Valeri Galtsev wrote:
On the side note: it is Microsoft that signs one of Linux packages now.
We seem to have made one more step away from “our” computers being _our computers_. Am I wrong?
Valeri
Microsoft are the Certificate Authority for SecureBoot and most SB-enabled hardware (most x86 hardware) comes with a copy of the Microsoft key preinstalled allowing binaries that are signed by Microsoft to work. In the case of linux, that is the shim which becomes the root of trust to load everything else. If you are not happy with that you can always become your own certificate authority by generating your own keys, install your signing keys in the hardware's firmware (MOK list) and sign stuff yourself to use on your own machine(s).
However if you wish to distribute stuff to others and have it work seamlessly on hardware outside of your direct control and without the need for every user to import your CA SecureBoot signing key into the MOK list on every device, you would rely on Microsoft to sign SB related content.
now, does Microsoft have to sign each released module themselves, or will they issue a CA cert to an authorized OS creator, like RH, then let RH sign their own modules?
EG, Microsoft RootCA -> Signed Package vs, Microsoft RootCA -> RH Child CA -> Signed Package ....
I believe Microsoft signs the shim which then becomes the trusted authority and embeds RH (or CentOS) signing cert, so (I believe) every release of the shim needs to be signed by Microsoft. So it's not quite as efficient as MS signing a RH/CentOS CA key, but is not far off.