:: Re: [DNG] UEFI and Secure Boot
Top Page
Delete this message
Reply to this message
Author: KatolaZ
Date:  
To: dng
Subject: Re: [DNG] UEFI and Secure Boot
On Mon, Oct 23, 2017 at 10:50:54AM +0100, Simon Hobson wrote:
> KatolaZ <katolaz@???> wrote:
>
> > And what if you want to use your own unsigned bootloader? Why should
> > you ask someone else the permission to boot your own machine? o_O
>
> Two ways :
> 1) You simply turn off secure boot and it'll boot your unsigned binary. If your machine doesn't have that then it's a bug and you should complain to the retailer - and return the machine (which by now is not in a re-sellable condition) as not fit for purpose (you did mention the need to boot unsigned binaries when buying it didn't you ?) AIUI, part of MS's specs for manufacturers is that they allow secure boot to be disabled - precisely to head off the "this machine can only run Windows, monopoly abuse, ..." arguments.
>
> 2) You create your own key, install that in the system, and sign your binary with that key. This means that the machine will still boot Windows 8+ which won't otherwise boot.
> Again, if the machine won't allow the installation of your own key then that's a bug - it's (AIUI) part of the UEFI spec to allow keys to be added.
>
> [U]EFI in itself isn't all that bad - what some manufacturers do with it, and the hash they make of it, is often bad.
>


The problem is that, AFAIK, the norm for many producers is to allow 1)
and disallow 2) so far. But again, I have no extensive experience
here, so will revert back to silence ;)

HND

KatolaZ

-- 
[ ~.,_  Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab  ]  
[     "+.  katolaz [at] freaknet.org --- katolaz [at] yahoo.it  ]
[       @)   http://kalos.mine.nu ---  Devuan GNU + Linux User  ]
[     @@)  http://maths.qmul.ac.uk/~vnicosia --  GPG: 0B5F062F  ] 
[ (@@@)  Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ  ]