:: Re: [DNG] UEFI and Secure Boot
Top Page
Delete this message
Reply to this message
Author: Adam Borowski
Date:  
To: dng
Subject: Re: [DNG] UEFI and Secure Boot
On Mon, Oct 23, 2017 at 10:41:29AM -0400, Steve Litt wrote:
> On Mon, 23 Oct 2017 10:50:54 +0100
> Simon Hobson <linux@???> wrote:
>
>
> > Two ways :
> > 1) You simply turn off secure boot and it'll boot your unsigned
> > binary. If your machine doesn't have that then it's a bug and you
> > should complain to the retailer - and return the machine (which by
> > now is not in a re-sellable condition) as not fit for purpose (you
> > did mention the need to boot unsigned binaries when buying it didn't
> > you ?) AIUI, part of MS's specs for manufacturers is that they allow
> > secure boot to be disabled - precisely to head off the "this machine
> > can only run Windows, monopoly abuse, ..." arguments.
>
> The preceding paragraph was true of Windows 8 certification on
> Intel/AMD motherboards: To get Windows 8 certification you had to have
> Secure Boot and it had to have an off switch.
>
> To get Windows 10 certification, you have to have Secure Boot but
> there's no requirement for an off switch.


Also, begging Microsoft to have your distribution's key signed is also not
guaranteed to work. There are two keys:
* "Microsoft Windows Production PCA 2011" that must be included
* "Microsoft Corporation UEFI CA 2011" that "on non-Windows RT PCs the OEM
should consider" -- not only some machines are explicitly excluded, but
on others it's merely "should consider".

Microsoft controls almost 100% of non-server PC manufacturers by the means
of volume discounts: the official price is insanely high, effectively
excluding any manufacturer who doesn't comply. Even worse, as non-niche
manufacturers all sell a variant with Windows (that's where the vast
majority of sales is), they don't have the freedom of offering a variant
that respects the user, on the pain of losing the volume discount.

The discounts are invariably negotiated in secret. Ie, you can have all new
machines drop support for big-distros overnight.

Specs:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance#SignatureDatabase

--
⢀⣴⠾⠻⢶⣦⠀ Laws we want back: Poland, Dz.U. 1921 nr.30 poz.177 (also Dz.U.
⣾⠁⢰⠒⠀⣿⡁ 1920 nr.11 poz.61): Art.2: An official, guilty of accepting a gift
⢿⡄⠘⠷⠚⠋⠀ or another material benefit, or a promise thereof, [in matters
⠈⠳⣄⠀⠀⠀⠀ relevant to duties], shall be punished by death by shooting.