| 1 |
On Tue, 1 Oct 2019 at 13:18, Mick <michaelkintzios@×××××.com> wrote: |
| 2 |
|
| 3 |
> When using Secure Boot the UEFI firmware check the binaries to be |
| 4 |
> loaded have been signed by Microsoft. The 'SHA256 verified' message |
| 5 |
> indicates the systemd-boot binary is signed using a key which is |
| 6 |
> ultimately signed by Microsoft and is contained in the whitelist |
| 7 |
> (MokList). If the verification failed I think it would spit something |
| 8 |
> back to allow you to enrol a valid hash or key. |
| 9 |
|
| 10 |
Scratch that - the message itself is a debug message following an |
| 11 |
early SHA-256 implementation self-test[1] before the systemd provided |
| 12 |
random seed file is loaded. All the Secure Boot signature checks that |
| 13 |
follow will utilise the random seed file systemd provides. |
| 14 |
|
| 15 |
[1] https://github.com/systemd/systemd/blob/4c858c6fd5d588b30d9851bb576520e74b041739/src/boot/efi/random-seed.c#L172 |
| 16 |
|
| 17 |
-- |
| 18 |
Regards, |
| 19 |
Mick |
Archives