Citiraj:
Autor Bubba
Pa tu je najveci problem ove diskusije - to *moze* obaviti bilo tko (*[1]YMMV, naravno).
|
Pa o tome tupim od pocetka. Ako zbilja moze svatko - zasto ne? Zasto Debian ne kreira svoj valjan certifikat na primjer i njega koristi? I nebres reci da ti ne smeta jer inace nebi tako reagirao. Ti vec par postova pizdis ko da sam jedan od Trollova na forumu a ne taj koji jesam i trebao bi me znati da tako ne razmisljam. Dakle da ponovim da bude kristalno jasno:
1. Zasto skoro sve distre koriste MS potpisane certifikate kao default?
2. Zasto vise provjerenih certifikata nema u opticaju od ostalih (naveo si gore Supermicro jos)?
A pitanja se temelje prije svega na ovakvim izjavama:
Citiraj:
|
Most x86 hardware comes from the factory pre-loaded with Microsoft keys. This means the firmware on these systems will trust binaries that are signed by Microsoft. Most modern systems will ship with SB enabled - they will not run any unsigned code by default. Starting with Debian version 10 ("Buster"), Debian supports UEFI secure boot by employing a small UEFI loader called shim which is signed by Microsoft and embeds Debian's signing keys. This allows Debian to sign its own binaries without requiring further signatures from Microsoft. Older Debian versions did not support secure boot, so users had to disable secure boot in their machine's firmware configuration prior to installing those versions.
|
https://wiki.debian.org/SecureBoot
Citiraj:
Using your own keys
Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates. This is the case in many Lenovo Thinkpad X, P and T series laptops which uses the Lenovo CA certificate to sign UEFI applications and firmwares.
|
https://wiki.archlinux.org/title/Uni...ce/Secure_Boot
Citiraj:
|
In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. These signed executable binaries and embedded keys enable RHEL 8 to install, boot, and run with the Microsoft UEFI Secure Boot Certification Authority keys that are provided by the UEFI firmware on systems that support UEFI Secure Boot.
|
https://docs.redhat.com/en/documenta...ing-the-kernel
Dakle ako sam ja dokumentaciju krivo protumacio (a sudeci po tvojim postovima ocito jesam) a ti znas nesto sto ja ne znam - ona me ispravi na normalan i civiliziran nacin. To je bit foruma i razmjene informacija. Sav ovaj neukusni razgovor je mogao mnogo civiliziranije proci.