On 02/20/2018 03:41 AM, Tom H wrote:
Ubuntu's using an MS sig. The difference between Fedora and
Ubuntu is
that the latter doesn't require that kernel modules be signed.
If that's true, then I think they're in violation of the secure boot
rules. And even if not, it makes secure boot ineffective anyway.
AFAIK, "shim" is signed by MS (and is validated by an
MS-supplied and
-signed "thingy" in the firmware) and it embeds the Fedora sig with
which grub, the kernel, and the kernel modules are signed and
validated.
Correct.