Re: We Fixed the Problem Which is Important to Us
The Linux community could do with get manufactures to include another key apart from the Microsoft ones so that there are alternative CAs for secure boot, there is no inherent reason for MS being the only one.
HP/HPE include SUSE in the factory default secure boot keystore.
They include their own key as the main "Platform Key"
[daz@test1 ~]$ sudo mokutil --pk | grep -e "^[[]" -e Subject:
[key 1]
Subject: CN=HPE UEFI Secure Boot 2016 PK Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company
[daz@test1 ~]$
They then provide their own key and the keys from MS & SUSE as "Key Exchange Keys".
[daz@test1 ~]$ sudo mokutil --kek | grep -e "^[[]" -e Subject:
[key 1]
Subject: CN=HPE UEFI Secure Boot 2016 KEK Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company
[key 2]
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
[key 3]
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
[daz@test1 ~]$
Then in the main key database there are the two MS keys, the Windows one and the one they use for other OSs and two VMWare keys.
[daz@test1 ~]$ sudo mokutil --db | grep -e "^[[]" -e Subject:
[key 1]
Subject: CN=HPE UEFI Secure Boot 2016 DB Key, OU=CODE-SIGN, C=US, O=Hewlett Packard Enterprise Company
[key 2]
Subject: O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 DB key
[key 3]
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
[key 4]
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
[key 5]
Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
[key 6]
Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc.
[key 7]
Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc., CN=VMware Secure Boot Signing
[daz@test1 ~]$
I'd much rather see someone like SUSE acting as the CA for Linux secure boot keys.