HispaLinux files complaint about UEFI
Steve Harvey
sgh-Ja3L+HSX0kI at public.gmane.org
Wed Mar 27 22:04:33 UTC 2013
On Wed, Mar 27, 2013 at 05:04:07PM -0400, Christopher Browne wrote:
> http://www.linuxinsider.com/rsstory/77645.html
>
> I suspect our own "POG" group might find it interesting to take a peek
> at this to see if there is any local applicability. It's possible
> that there's nothing apropos to do in Canada, but I couldn't evaluate
> that one way or another.
>
I have used sbsigntool to look at the EFI binaries signed by Microsoft
in several "solutions", namely Xubuntu 12.04.2, Ubuntu 12.10, Linux
Foundation (James Bottomley's release in February), and Fedora 18,
all these 64 bit. There are always two Microsoft signed certificates
present relating to a chain of trust, i.e.
1)
subject=.../CN=Microsoft Windows UEFI Driver Publisher
issuer=.../CN=Microsoft Corporation UEFI CA 2011
validity 2012-07-02 to 2013-10-02
2)
subject=.../CN=Microsoft Corporation UEFI CA 2011
issuer=.../CN=Microsoft Corporation Third Party Marketplace Root
validity 2011-06-27 to 2026-06-27
For both certificates, both "X509v3 CRL Distribution Points" and
"Authority Information Access" extensions have attributes set.
From the above, I wonder if any of these would be expected to
be bootable in a fully compliant UEFI environment past Oct. 2nd
of this year. It also looks as though Microsoft is retaining the
ability to revoke any of these at any time as UEFI is generally
network-aware.
I suspect that in general you would have to enroll
your own Machine Owner Keys and use them to sign your media if
you wanted to dual-boot Windows 8 and your own custom Linux
setup. A real pain!
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list