1 |
On Sat, Jun 2, 2012 at 3:51 PM, pk <peterk2@××××××××.se> wrote: |
2 |
> On 2012-06-02 15:12, Florian Philipp wrote: |
3 |
> |
4 |
>> According to [1] it is SHA-256 and RSA-2048. If I understand it |
5 |
>> correctly, there are means to blacklist compromised keys. That's |
6 |
>> why |
7 |
> |
8 |
> Just curious, how is a "compromised" key supposed to be blacklisted? |
9 |
> Does the bios contact Microsoft, or is it through some other mean (via |
10 |
> OS which means it needs to have some sort of service to check for this |
11 |
> blacklist)? Smells like trouble to me... :-/ |
12 |
|
13 |
I expect the chief mechanism is at the manufacturer's end; blacklisted |
14 |
keys get included on shipment. |
15 |
|
16 |
It's also probable that the OS kernel can tell the UEFI BIOS about new |
17 |
keys to blacklist. I expect that'll be a recurring thing in the |
18 |
Monthly batch of security updates Microsoft puts out. (Makes sense, |
19 |
really; if malware is using a key, blacklist that key.) |
20 |
|
21 |
Someone linked to some absolutely terrible stuff being built into |
22 |
Intel's Ivy Bridge...it's plausible it will be possible to deploy |
23 |
blacklist key updates over the network within a couple years. |
24 |
|
25 |
|
26 |
-- |
27 |
:wq |