is this true

Deryl R. Doucette me at
Mon Oct 3 15:41:40 UTC 2011

On 2011-10-03, at 9:59 AM, swfiua at wrote:
> I know very little about the UEFI implementation, but do know a fair bit about public key cryptography.
> If the UEFI implementation is done right then the keys that are embedded in the boot loader should be public keys and, by definition, there is no need to keep them secret.   
> The keys that need to be kept secret are the corresponding private keys used to sign the OS'es that you install.  
> This part should not be a problem for linux.   I'd expect the main distros to have their own private keys and to provide tools to make it easy to adder their public keys to UEFI.
> For users experimenting with their own OS, then I assume you can generate your own key pair, load the public key into the boot loader and use the private key to sign your OS.
> One thing I'm not sure about with UEFI is just what you have to sign.  I'd expect the signing to include some sort of checksum on the code it is going to boot -- can anyone point me at the details?

You have it backwards.

The stored keys would have to be private keys, and the OS installs would have to have the public keys. Not the other way around. And since the signing keys 
Deryl R. Doucette
"Any lad can choose the mundane, but tis the explorers that are truly free in choice!"

gnuPG Key ID: EE8734BA 
Key Fingerprint: 1CAD 14AB B5D0 7C61 DCE7 41B6 DBAE D3BC EE87 34BA

More information about the ubuntu-ca mailing list