[CentOS] Boot failed on latest CentOS 7 update

Sun Aug 2 18:54:51 UTC 2020
John Pierce <jhn.pierce at gmail.com>

On Sun, Aug 2, 2020 at 11:45 AM Phil Perry <pperry at elrepo.org> wrote:

> On 02/08/2020 16:26, Valeri Galtsev wrote:
> >
> > On the side note: it is Microsoft that signs one of Linux packages now.
> We seem to have made one more step away from “our” computers being _our
> computers_. Am I wrong?
> >
> > Valeri
> >
> Microsoft are the Certificate Authority for SecureBoot and most
> SB-enabled hardware (most x86 hardware) comes with a copy of the
> Microsoft key preinstalled allowing binaries that are signed by
> Microsoft to work. In the case of linux, that is the shim which becomes
> the root of trust to load everything else. If you are not happy with
> that you can always become your own certificate authority by generating
> your own keys, install your signing keys in the hardware's firmware (MOK
> list) and sign stuff yourself to use on your own machine(s).
> However if you wish to distribute stuff to others and have it work
> seamlessly on hardware outside of your direct control and without the
> need for every user to import your CA SecureBoot signing key into the
> MOK list on every device, you would rely on Microsoft to sign SB related
> content.
now, does Microsoft have to sign each released module themselves, or will
they issue a CA  cert to an authorized OS creator, like RH, then let RH
sign their own modules?

EG,    Microsoft RootCA -> Signed Package
vs,      Microsoft RootCA -> RH Child CA -> Signed Package ....

-john r pierce
  recycling used bits in santa cruz