[prev in list] [next in list] [prev in thread] [next in thread]
List: centos
Subject: Re: [CentOS] Boot failed on latest CentOS 7 update
From: Gordon Messmer <gordon.messmer () gmail ! com>
Date: 2020-08-03 0:51:10
Message-ID: f60c2a9c-4fd6-d7be-0b21-3a26dd843ae5 () gmail ! com
[Download RAW message or body]
On 8/2/20 4:11 PM, John Pierce wrote:
> isn't it more that they simply won't work with newer boots that were signed
> by the new keys? and the updated BIOS's won't boot older OS versions that
> weren't signed by the new keys?
I don't know if the Secure Boot PKI has a publicly documented
contingency plan for a compromised CA, but my understanding is that
there are multiple slots for signatures:
http://dreamhack.it/linux/2015/12/03/secure-boot-signed-modules-and-signed-elf-binaries.html
So, I would guess that clients would receive a new trust DB that did not
contain the old root CA, and new bootloaders signed by both the old root
CA and the new CA. The new bootloaders would work on both new and old
systems, having signatures from both. Old bootloaders would not work on
new clients.
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic