On Wed, Jul 09, 2025 at 05:42:23PM +0200, Florian Weimer wrote: > * Gerd Hoffmann: > > >> At least for me it seems to be a extremely generic update that doesn't rely > >> on hardware specific characteristics as is with a full BIOS update. > > > > Correct. It's literally just the new ms kek key with a pkcs7 signature > > from the hardware vendor's PK key. No code update. > > Still it needs to go through QA because it has a significant risk of > corrupting the boot path.
Sure. It's a first in the secure boot world and has the potential to break a bunch of stuff. Specifically I think with the boot signature chain changing some TPM PCR measurements will change too, so TPM being is used for LUKS disk encryption most likely is affected and will need some extra attention. But it shouldn't be the "broken bios update might brick the machine" level of risk. take care, Gerd -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
