X-Git-Url: https://code.delx.au/refind/blobdiff_plain/b2410fb7695fb349a65a2749e9524f250a4f6420..082b67816f970599d10e25c5a5c31d6d112f3e1a:/keys/README.txt diff --git a/keys/README.txt b/keys/README.txt index bcf1bf3..1e9306e 100644 --- a/keys/README.txt +++ b/keys/README.txt @@ -1,9 +1,9 @@ -This directory contains known public keys for Linux distributions and other -parties that sign boot loaders and kernels that should be verifiable by -shim. I'm providing these keys as a convenience to enable easy installation -of keys should you replace your distribution's version of shim with another -one and therefore require adding its public key as a machine owner key -(MOK). +This directory contains known public keys for Linux distributions and from +other parties that sign boot loaders and kernels that should be verifiable +by shim. I'm providing these keys as a convenience to enable easy +installation of keys should you replace your distribution's version of shim +with another one and therefore require adding its public key as a machine +owner key (MOK). Files come with three extensions. A filename ending in .crt is a certificate file that can be used by sbverify to verify the authenticity of @@ -17,13 +17,58 @@ utility expects its input public keys in this form, so these are the files you would use to add a key to the MOK list maintained by MokManager and used by shim. -The files in this directory are: +The files in this directory are, in alphabetical order: -- canonical-uefi-ca.der -- Canonical's public key, used to sign Ubuntu - boot loaders and kernels. +- altlinux.cer -- The public key for ALT Linux (http://www.altlinux.com). + Taken from the alt-uefi-certs package + (http://www.sisyphus.ru/br/srpm/Sisyphus/alt-uefi-certs/spec). -- fedora-ca.cer -- Fedora's public key, used to sign Fedora 18's version of - shim and Fedora 18's kernels. +- canonical-uefi-ca.crt & canonical-uefi-ca.der -- Canonical's public key, + matched to the one used to sign Ubuntu boot loaders and kernels. + +- centos.crt & centos.cer -- Public keys used to sign CentOS binaries, taken + from shim-signed-0.9-2.el7.src.rpm. Note that the binary's centos.crt file + was actually in .cer format, and has been renamed appropriately. The + centos.crt file included here is transformed from the original file by + openssl. Tested booting CentOS 7. + +- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, matched to the one + used used to sign Fedora's shim 0.8 binary. + +- microsoft-kekca-public.der -- Microsoft's key exchange key (KEK), which + is present on most UEFI systems with Secure Boot. The purpose of + Microsoft's KEK is to enable Microsoft tools to update Secure Boot + variables. There is no reason to add it to your MOK list. + +- microsoft-pca-public.der -- A Microsoft public key, matched to the one + used to sign Microsoft's own boot loader. You might include this key in + your MOK list if you replace the keys that came with your computer with + your own key but still want to boot Windows. There's no reason to add it + to your MOK list if your computer came this key pre-installed and you did + not replace the default keys. + +- microsoft-uefica-public.der -- A Microsoft public key, matched to the one + Microsoft uses to sign third-party applications and drivers. If you + remove your default keys, adding this one to your MOK list will enable + you to launch third-party boot loaders and other tools signed by + Microsoft. There's no reason to add it to your MOK list if your computer + came this key pre-installed and you did not replace the default keys. + +- openSUSE-UEFI-CA-Certificate.cer, openSUSE-UEFI-CA-Certificate.crt, + openSUSE-UEFI-CA-Certificate-4096.cer, & + openSUSE-UEFI-CA-Certificate-4096.crt -- Public keys matched to the ones + used to sign OpenSUSE; taken from openSUSE's shim 0.7.318.81ee56d + package. - refind.cer & refind.crt -- My own (Roderick W. Smith's) public key, - used to sign refind_x64.efi and the 64-bit rEFInd drivers. + matched to the one used to sign refind_x64.efi and the 64-bit rEFInd + drivers. + +- SLES-UEFI-CA-Certificate.cer & SLES-UEFI-CA-Certificate.crt -- The Public + key for SUSE Linux Enterprise Server; taken from openSUSE's shim + 0.7.318.81ee56d package. + +The refind.cer and refind.crt files are my creations and are distributed +under the terms of the BSD 2-clause license. The rest of the files are +distributed on the assumption that doing so constitutes fair use. Certainly +they're all easily obtained on the Internet from other sources.