[GTALUG] New Build Computer?
Peter King
peter.king at utoronto.ca
Mon Jul 27 14:16:29 EDT 2020
On Mon, Jul 27, 2020 at 01:57:02PM -0400, D. Hugh Redelmeier via talk wrote:
> Microsoft requires PC hardware to be shipped with Secure Boot enabled. I
> think that they also require that it be possible to disable it (but only
> manually, not by program).
>
> Secure boot requires that there be a cryptographically authenticated
> unbroken chain of things that lead to loading the OS. Authentication of
> things loaded by the UEFI amounts to being signed by a key for which the
> firmware knows the public key.
>
> The only public key most UEFI firmware knows is controlled by
> Microsoft. Red Hat has arranged for Microsoft to sign a loader that
> will then load other things: shim.efi. Red Hat made this available to
> any other Linux Distro, I think.
>
> Some other Linux systems have adopted this. For example, UBUNTU and SuSE.
> I don't know if your distro has.
>
> Suggestion: disable secure boot and continue your experiments. I know you
> said that you cannot find the setting, but it must be there somewhere in
> the firmware setup screen.
>
> Odd: googling seems to suggest that the only way to turn off SB on Asus
> boards is to delete the PK key. If you are going to do this, please save
> the key first in case you need to restore it.
Thanks! That is an admirably clear description of Secure Boot, which makes
it seem like, well, like not a crazy idea.
Yes, I'm pretty sure Secure Boot is the culprit. Googling tells me that I
can only disable it on the Asus Prime X570-Pro motherboard by deleting the
keys listed under "Key Management" (or at least the PK key), which I was
hesitant to try -- it seemed like a one-way street -- but I'll save the key
in several places just in case.
I guess Arch Linux doesn't have any arrangment with Microsoft.
--
Peter King peter.king at utoronto.ca
Department of Philosophy
170 St. George Street #521
The University of Toronto (416)-946-3170 ofc
Toronto, ON M5R 2M8
CANADA
http://individual.utoronto.ca/pking/
=========================================================================
GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42)
gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://gtalug.org/pipermail/talk/attachments/20200727/94d1b905/attachment.sig>
More information about the talk
mailing list