On Sun, Aug 2, 2020 at 1:01 PM Phil Perry <pperry at elrepo.org> wrote: > I believe Microsoft signs the shim which then becomes the trusted > authority and embeds RH (or CentOS) signing cert, so (I believe) every > release of the shim needs to be signed by Microsoft. So it's not quite > as efficient as MS signing a RH/CentOS CA key, but is not far off. > One of the things that bugs me about PKI trust chains like this, what happens if the unthinkable happens, and Microsoft's RootCA gets compromised and has to be revoked... does that mean every single piece of UEFI hardware out there needs a BIOS upgrade? and don't UEFI bios updates have to be signed too? -- -john r pierce recycling used bits in santa cruz