@ -226,7 +226,7 @@ These checksums are checked against a signature database, which is held within t
The signatures are created with the platform key (PK) which is by default owned and managed by Microsoft.
The signatures are created with the platform key (PK) which is by default owned and managed by Microsoft.
Although it is possible to install a new own PK and sign relevant software with it, you can only boot software signed from Microsoft by default when secure boot is enabled.
Although it is possible to install a new own PK and sign relevant software with it, you can only boot software signed from Microsoft by default when secure boot is enabled.
Shim is the gatekeeper for OSes not maintained by Microsoft.
Shim is the gatekeeper for OSes not maintained by Microsoft.
The binary is signed with the official PK and uses itself a self signed CA to sign further executables.
The binary is signed with the official PK and uses itself a self signed CA to sign further executables.
A detailed description how shim works on Ubuntu is shown on their corresponding Wiki page\cite{ubuntuwiki20}.
A detailed description how shim works on Ubuntu is shown on their corresponding Wiki page\cite{ubuntuwiki20}.
Only this workflow enables secure boot when using Linux OSes.
Only this workflow enables secure boot when using Linux OSes.
@ -236,6 +236,13 @@ When using an own PK, you loose the benefit of having externally created and sig
Secure and trusted boot can, however, exist side by side on one system.
Secure and trusted boot can, however, exist side by side on one system.
The benefit of using it seems to be very limited when not using a Microsoft OS.
The benefit of using it seems to be very limited when not using a Microsoft OS.
\subsection{Intel TXT}%
\label{sub:intel_txt}
Intel developed a solution to build a trusted environment on a hypervisor which they call \emph{Trusted Execution Technology} (TXT).
It requires an enabled TPM on the hypervisor as well as an activated trusted boot workflow.
