On 8/2/20 1:19 PM, John Pierce wrote: > One of the things that bugs me about PKI trust chains like this, what > happens if the unthinkable happens, and Microsoft's RootCA gets compromised > and has to be revoked... does that mean every single piece of UEFI > hardware out there needs a BIOS upgrade? Yes. They'll be vulnerable to malware signed by the old CA until they're updated. That's better than systems without a PKI trust chain, which are vulnerable all of the time.