Huh, I don't know why I thought it did. Looking into the link below briefly I se... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		RiverCrochet 7 months ago \| parent \| context \| favorite \| on: Another Crack in the Chain of Trust: Uncovering (Y... Huh, I don't know why I thought it did. Looking into the link below briefly I see it uses a PKI scheme with CAs. https://learn.microsoft.com/en-us/windows-hardware/manufactu... So I guess if you provide a key for the bootloader, the firmware will sign it when it's in setup mode? I guess that private key is embedded directly in the firmware then? I presume that's made invisible once control is handed to the bootloader somehow ...

mjg59 7 months ago [–]

No, the firmware never has any private keys. You sign offline with a private key and provide the public key to the firmware. All further bootloader updates are signed with the same key and require no additional firmware configuration.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact