From a19b49f9c6f64151648666cb7095ae9f3fd22662 Mon Sep 17 00:00:00 2001 From: srs5694 Date: Thu, 12 Feb 2015 18:58:38 -0500 Subject: [PATCH] Added Microsoft's public keys to the rEFInd key collection. --- keys/README.txt | 44 ++++++++++++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/keys/README.txt b/keys/README.txt index 0fb79b6..9d69b0c 100644 --- a/keys/README.txt +++ b/keys/README.txt @@ -1,9 +1,9 @@ -This directory contains known public keys for Linux distributions and other -parties that sign boot loaders and kernels that should be verifiable by -shim. I'm providing these keys as a convenience to enable easy installation -of keys should you replace your distribution's version of shim with another -one and therefore require adding its public key as a machine owner key -(MOK). +This directory contains known public keys for Linux distributions and from +other parties that sign boot loaders and kernels that should be verifiable +by shim. I'm providing these keys as a convenience to enable easy +installation of keys should you replace your distribution's version of shim +with another one and therefore require adding its public key as a machine +owner key (MOK). Files come with three extensions. A filename ending in .crt is a certificate file that can be used by sbverify to verify the authenticity of @@ -22,16 +22,36 @@ The files in this directory are, in alphabetical order: - altlinux.cer -- The public key for ALT Linux (http://www.altlinux.com). - canonical-uefi-ca.crt & canonical-uefi-ca.der -- Canonical's public key, - used to sign Ubuntu boot loaders and kernels. - -- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, used to sign Fedora - 18's version of shim and Fedora 18's kernels. + matched to the one used to sign Ubuntu boot loaders and kernels. + +- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, matched to the one + used used to sign Fedora 18's version of shim and Fedora 18's kernels. + +- microsoft-kekca-public.der -- Microsoft's key exchange key (KEK), which + is present on most UEFI systems with Secure Boot. The purpose of + Microsoft's KEK is to enable Microsoft tools to update Secure Boot + variables. There is no reason to add it to your MOK list. + +- microsoft-pca-public.der -- A Microsoft public key, matched to the one + used to sign Microsoft's own boot loader. You might include this key in + your MOK list if you replace the keys that came with your computer with + your own key but still want to boot Windows. There's no reason to add it + to your MOK list if your computer came this key pre-installed and you did + not replace the default keys. + +- microsoft-uefica-public.der -- A Microsoft public key, matched to the one + Microsoft uses to sign third-party applications and drivers. If you + remove your default keys, adding this one to your MOK list will enable + you to launch third-party boot loaders and other tools signed by + Microsoft. There's no reason to add it to your MOK list if your computer + came this key pre-installed and you did not replace the default keys. - openSUSE-UEFI-CA-Certificate.cer & openSUSE-UEFI-CA-Certificate.crt -- - Public keys used to sign OpenSUSE 12.3. + Public keys matched to the ones used to sign OpenSUSE 12.3. - refind.cer & refind.crt -- My own (Roderick W. Smith's) public key, - used to sign refind_x64.efi and the 64-bit rEFInd drivers. + matched to the one used to sign refind_x64.efi and the 64-bit rEFInd + drivers. - SLES-UEFI-CA-Certificate.cer & SLES-UEFI-CA-Certificate.crt -- The Public key for SUSE Linux Enterprise Server. -- 2.39.2