Message 1 of 1
21 Apr 17 12:59
Join Date: 13 Apr 2017
Posts To This List: 8
RE: Re: [OSR-DETECTED-SPAM] RE: SecureBoot/Driver signing for corporate usage
Thank you Tim,
I understand that.
Unfortunately the genuine problem, i.e. Secure Boot compatibility without the
attestation of private (by definition) drivers, looks unsolvable so far. So any
private entity has to be made "public" for the attestation frist.
And there are no reliable options to make it Secure Boot compatible (keeping it
private) beyond switching Secure Boot off completely.
I still hope that there is a way to sign the driver "privately" by putting the
related certificate in the UEFI's DB for the verification.
All my experiments failed so far.
Maybe because of the DB is used for genuine UEFI binaries verification only, so
the kernel drivers are verified somehow else.
Maybe because of lack of the diagnostics. I can put a driver's "root"
certificate into the DB, the sign verification fails, but I can't realize
whether it happens by design or by different certificate format to be used in
the DB. Looks like BIOS interface allows adding nearly everything to the DB by
just concatenating whatever chosen.