-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

pjones' statement about Secure Boot on 2025-07-07:

I'm involved in Secure Boot signing in various distros in several ways.

I wrote and maintain pesign ( https://github.com/rhinstaller/pesign ),
which is used for signing EFI binaries, and I'm one of the upstream
maintainers of shim ( https://github.com/rhinstaller/shim ), which most
Linux distros use to transition from the firmware's security domain to the
kernel's. I'm also responsible for Fedora and RHEL's builds of pesign,
shim, and grub2.  I'm not responsible for the kernels for RHEL or Fedora,
nor for determining which of them finally get signed for Secure Boot.  I
have been responsible for generating keys for signing Fedora's binaries.

As the guy who gets shim signed for Fedora:

At no point have I been contacted with warrants of any kind, or any similar
instrument, or in any way, from governmental or non-governmental entities,
about inclusion of any kind of malware or backdoor in Fedora's signed secure
boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any
time been approached about disclosure of our signing keys, except by one lazy
troll on the internet.  I am also not aware of anyone else involved in our
signing that has been contacted with warrants of any kind, or any similar
instrument, or in any way, from governmental or non-governmental entities,
about inclusion of any kind of malware or backdoor in Fedora's signed secure
boot binaries, including shim, grub2, the kernel, and pesign, nor am I aware of
any other involved party having at any time been approached about disclosure of
our signing keys.

As the guy who gets shim signed for RHEL:

At no point have I been contacted with warrants of any kind, or any
similar instrument, or in any way, from governmental or non-governmental
entities, about inclusion of any kind of malware or backdoor in RHEL's
signed secure boot binaries, including shim, grub2, the kernel, and pesign,
nor have I at any time been approached about disclosure of our signing
keys.  I am also not aware of anyone else involved in our signing that has
been contacted with warrants of any kind, or any similar instrument, or in
any way, from governmental or non-governmental entities, about inclusion of
any kind of malware or backdoor in RHEL's signed secure boot binaries,
including shim, grub2, the kernel, and pesign, nor am I aware of any other
involved party having at any time been approached about disclosure of
our signing keys.

As a person involved in CentOS implementation in an advisory role:

I am not aware of anyone else involved in our signing that has
been contacted with warrants of any kind, or any similar instrument, or in
any way, from governmental or non-governmental entities, about inclusion of
any kind of malware or backdoor in CentOS's signed secure boot binaries,
including shim, grub2, the kernel, and pesign, nor am I aware of any other
involved party having at any time been approached about disclosure of
CentOS's signing keys.

As the guy who gets shim signed for CentOS:

At no point have I been contacted with warrants of any kind, or any
similar instrument, or in any way, from governmental or non-governmental
entities, about inclusion of any kind of malware or backdoor in RHEL's
signed secure boot binaries, including shim, grub2, the kernel, and pesign,
nor have I at any time been approached about disclosure of our signing
keys.  I am also not aware of anyone else involved in our signing that has
been contacted with warrants of any kind, or any similar instrument, or in
any way, from governmental or non-governmental entities, about inclusion of
any kind of malware or backdoor in CentOS 7's signed secure boot binaries,
including shim, grub2, the kernel, and pesign, nor am I aware of any other
involved party having at any time been approached about disclosure of
our signing keys.

As the upstream maintainer of pesign and an upstream maintainer of shim:

At no point have I been contacted with warrants of any kind, or any
similar instrument, or in any way, from governmental or non-governmental
entities, about inclusion of any kind of malware or backdoor into either
shim or pesign.  I am also unaware of any other contributor to shim or
pesign having been contacted with warrants of of any kind, or any 
similar instrument, or in any way, from governmental or non-governmental
entities, about inclusion of any kind of malware or backdoor into either
shim or pesign.

November 2017 update: One rando from the internet has sent me an email
to tell me that I should "consider myself approached" regarding the
Fedora signing keys.  Here's what the guy with way too much time on his
hands said:

- ------------------------------------------------------------------------------
Date: Tue, 31 Oct 2017 14:46:07 -0400
From: Eduardo Gines <eduardo77@protonmail.ch>
Subject: Fedora SecureBoot signing keys

Hey Peter,

I'd like you to share with me key used for signing shim in Fedora Project Linux.

Consider yourself approached.

Adiós,
Eduardo
- ------------------------------------------------------------------------------

Just so we're clear, I don't consider a lazy email to be the sort of
contact we're talking about here.  So while I've changed the language
on the Fedora section above to reflect that I have, in fact, been
contacted in /some/ way by a non-governmental entity, in the future if
this is the amount of effort you put into this, I'm just going to mark
it spam.  Congratulations, you found a new way to be bad for the world,
and it's mostly just tedious.  Most people just stick to the old ways.

September 2018 update: Changed some CentOS stuff around to better
reflect the current division of labor.

March 2021 update: There's been some discussion about some documents published
by the National Security Agency[0].  In these, they discuss deployment
strategies and customizations regarding UEFI and Secure Boot.  

[0] Here:
    https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-uefi-lockdown.pdf
    https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/BootSecurityModesAndRec_20190522.pdf
    https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
    https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance/blob/master/secureboot/Linux.md
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEAgk+DRnd4Pff+7U8H9P1QCVqE3IFAmhr1AMSHHBqb25lc0By
ZWRoYXQuY29tAAoJEB/T9UAlahNy3dYP/27kXTQ20y3yTYMaA0RHHV8tIzzbJroB
b+fXxtsakQK0YafhKILECUON/3bTvFAuLBYylxCmT6S+8aIs3m/+q1oxrV0t5lDI
SH3xw/oIQlMfxR06ad2NH4y+p5NSf+6y07HqwBBRuwYc6h079Mxui89RqavesQ0z
LVk+4a0fXyfLZkU3/a4kpi5jwlax1NeM/iQuiUq9eZPFrRgOdt+3Iilgt40X2uRi
ZKbxR9VHAgS8lMt7B1jxMfQpN4Sf7sYjzcqGJ6zctnOoYNiG1F1rn/qcZQIuLyIy
n0W+TT9FPysLWCK48UBkOQsJh3oJGa17qd7Hv9FxmG4BVrU7UNCyBxy2rrr7xsri
8t+/VOVWHWoWe8k1EQ61Bfro8g0N0czN7YYs1G/ETjwBfR0P6N6LmaWhtH1GKikU
hnf3XobHRg4jn5GVxzGuDVYN+Uyshx2pw61C8Gzejdk3QWgbUzgBU7cp1m3HGmmB
yV92Z3Snowj8J0hMNPBq3AVAX0bI/TmyBzUPiLNTX/XsE9L0UWPZjX6Zl8MIlU9s
9CRU4gVd0APHZXpcTgaWx1D/gEjIzY/hN1YBPJWKXadP3QWQReOagPQlBTBa6Z2O
psiXNjGYTCShnd3olQDvGbAGVZXAnPM0wgHuKavHgSy2GxF2LXIVXfap7yuzNa4e
OYTAt3dQzP9j
=x1ks
-----END PGP SIGNATURE-----