On 2022-04-26 at 18:05, Paul Wise wrote: > On Tue, 2022-04-26 at 20:41 +0200, Bastian Blank wrote: > >> secure boot signing process at Microsoft is a review-sign process > > What kind of review are Microsoft doing of the Debian shim? > > Are they reviewing the source and checking for a reproducible build?
I'd be curious to have a more in-depth answer to this, myself. My understanding has always been that they check to make sure that what they're signing is not visibly malicious, and in most cases also that it can't chain to load something else (which isn't signed, and might be malicious). Since the entire purpose of the shim - at least as I understand it - is to chain to load something else, clearly either that understanding is not correct, or they're making an exception for the case of the shim. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
signature.asc
Description: OpenPGP digital signature
