Correction on Secure Boot Article
|Posted by tuxchick on Dec 5, 2012 5:05 PM|
LXer Feature; By Carla Schroder
LXer Feature: 05-Dec-2012
This is an important correction to "Linux Has Not Won, Microsoft is as Dangerous as Ever, Fie on Secure Boot" that explains correctly how the Platform Key works.
In Linux Has Not Won, Microsoft is as Dangerous as Ever, Fie on Secure Boot I incorrectly described how the Secure Boot Platform Key works. A reader gave me the correct description:
The platform key is the firmware vendor's key. Each motherboard will
have a platform key controlled by the firmware provider. That key is
used to sign the actual SB keys packaged with the system at ship time.
Microsoft has no involvement in that at all, except to ask the vendors
to sign their key. If the mobo vendor wants to include Microsoft's key,
they put it in the list and sign it with the platform key. If they want
to include anyone else's key - as well as or instead of Microsoft's key
- they put it in the list and sign it with the platform key. The
firmware vendor controls the platform key, not Microsoft. The presence
of a platform key is an inevitability of any design based around
signatures, not a Microsoft plot. The concept that the single platform
key controlled by the firmware vendor is used to sign *multiple* OS
vendor keys is expressly designed to allow multiple keys to be trusted
'from the factory', precisely the opposite of what you suggest in the
This is the only plausible way to design it: it's just the root of the
trust chain. There has to be one in any chain of trust. The only
possible choices for who should own the trust root are a) the vendor of
the firmware and b) the user, and Secure Boot expressly allows for both.
So it is not correct to call it a Windows Platform Key, because there is no such thing. It is important to get this right because it is fundamental to how Secure Boot works.
Return to the LXer Features
You cannot post until you login.
Dr Tony Young: Trouble-shooting a VoIP Modem
Nov 07, 2013
Hans Kwint - The Netherlands: Linux Malware: Should we be afraid?
Aug 13, 2013
Penguinist: Gems from Southeast LinuxFest
Jun 10, 2013
Hans Kwint - The Netherlands: Smartcars: Dangerous if software companies would make them
May 27, 2013
Hans Kwint - The Netherlands: High-res batch convert EMZ / WMZ grahpics to PNG a.k.a. "liberating your graphics"
May 24, 2013
ubuuser: The good and bad of Ubuntu 13.04 beta 2
Apr 15, 2013
Scott Ruecker (Phoenix, U.S.): LXer Weekly Roundup for 10-Mar-2013
Mar 11, 2013
Scott Ruecker (Phoenix, U.S.): LXer Weekly Roundup for 03-Mar-2013
Mar 03, 2013
: Ubuntu Touch Developer Preview released
Feb 21, 2013
Scott Ruecker (Phoenix, U.S.): LXer Weekly Roundup for 17-Feb-2013
Feb 18, 2013