@gsuberland @manawyrm @azonenberg @jik @zackwhittaker me neither but given how closely uefi code looks to Microsoft C code I bet the mechanism of dbx is very similar to the kernel.
D
diagprov@mathstodon.xyz
@diagprov@mathstodon.xyz
Posts
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. -
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal.@gsuberland @manawyrm @azonenberg @jik @zackwhittaker they're blocked on signing new builds.
-
#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal.@gsuberland @manawyrm @azonenberg @jik @zackwhittaker the certificates used to sign them do have an expiry but timestamps solve both expired cert and expired CA. The only way to revoke it is to add that cert to a CRL and leave it there permanently. I've no idea if the windows kernel checks crls or just maintains a list of blocked certs but I'd expect it to share the logic with windows and keep a cached crl (could be wrong, a long time since I cared much about windows drivers).
UEFI I don't think checks either expiry or timestamps at all. Instead it has the dbx which can contain blocked certificates or hashes of binaries that should not load.
-
Thank you AI bubble.@Elliptickiwi my teachers always said I had to be able to do mathematics without a calculator!!