code.delx.au - refind/blob - keys/README.txt

   1 This directory contains known public keys for Linux distributions and from
   2 other parties that sign boot loaders and kernels that should be verifiable
   3 by shim. I'm providing these keys as a convenience to enable easy
   4 installation of keys should you replace your distribution's version of shim
   5 with another one and therefore require adding its public key as a machine
   6 owner key (MOK).
   7
   8 Files come with three extensions. A filename ending in .crt is a
   9 certificate file that can be used by sbverify to verify the authenticity of
  10 a key, as in:
  11
  12 $ sbverify --cert keys/refind.crt refind/refind_x64.efi
  13
  14 The .cer and .der filename extensions are equivalent, and are public key
  15 files similar to .crt files, but in a different form. The MokManager
  16 utility expects its input public keys in this form, so these are the files
  17 you would use to add a key to the MOK list maintained by MokManager and
  18 used by shim.
  19
  20 The files in this directory are, in alphabetical order:
  21
  22 - altlinux.cer -- The public key for ALT Linux (http://www.altlinux.com).
  23
  24 - canonical-uefi-ca.crt & canonical-uefi-ca.der -- Canonical's public key,
  25   matched to the one used to sign Ubuntu boot loaders and kernels.
  26
  27 - fedora-ca.cer & fedora-ca.crt -- Fedora's public key, matched to the one
  28   used used to sign Fedora 18's version of shim and Fedora 18's kernels.
  29
  30 - microsoft-kekca-public.der -- Microsoft's key exchange key (KEK), which
  31   is present on most UEFI systems with Secure Boot. The purpose of
  32   Microsoft's KEK is to enable Microsoft tools to update Secure Boot
  33   variables. There is no reason to add it to your MOK list.
  34
  35 - microsoft-pca-public.der -- A Microsoft public key, matched to the one
  36   used to sign Microsoft's own boot loader. You might include this key in
  37   your MOK list if you replace the keys that came with your computer with
  38   your own key but still want to boot Windows. There's no reason to add it
  39   to your MOK list if your computer came this key pre-installed and you did
  40   not replace the default keys.
  41
  42 - microsoft-uefica-public.der -- A Microsoft public key, matched to the one
  43   Microsoft uses to sign third-party applications and drivers. If you
  44   remove your default keys, adding this one to your MOK list will enable
  45   you to launch third-party boot loaders and other tools signed by
  46   Microsoft. There's no reason to add it to your MOK list if your computer
  47   came this key pre-installed and you did not replace the default keys.
  48
  49 - openSUSE-UEFI-CA-Certificate.cer & openSUSE-UEFI-CA-Certificate.crt --
  50   Public keys matched to the ones used to sign OpenSUSE 12.3.
  51
  52 - refind.cer & refind.crt -- My own (Roderick W. Smith's) public key,
  53   matched to the one used to sign refind_x64.efi and the 64-bit rEFInd
  54   drivers.
  55
  56 - SLES-UEFI-CA-Certificate.cer & SLES-UEFI-CA-Certificate.crt -- The
  57   Public key for SUSE Linux Enterprise Server.