[CentOS] Boot failed on latest CentOS 7 update

Sun Aug 2 20:19:05 UTC 2020
John Pierce <jhn.pierce at gmail.com>

On Sun, Aug 2, 2020 at 1:01 PM Phil Perry <pperry at elrepo.org> wrote:

> I believe Microsoft signs the shim which then becomes the trusted
> authority and embeds RH (or CentOS) signing cert, so (I believe) every
> release of the shim needs to be signed by Microsoft. So it's not quite
> as efficient as MS signing a RH/CentOS CA key, but is not far off.

One of the things that bugs me about PKI trust chains like this, what
happens if the unthinkable happens, and Microsoft's RootCA gets compromised
and has to be revoked... does that mean every single piece of UEFI
hardware  out there needs a BIOS upgrade?  and don't UEFI bios updates
have to be signed too?

-john r pierce
  recycling used bits in santa cruz