[GTALUG] New Build Computer?
D. Hugh Redelmeier
hugh at mimosa.com
Mon Jul 27 15:10:54 EDT 2020
| From: Peter King via talk <talk at gtalug.org>
| On Mon, Jul 27, 2020 at 01:57:02PM -0400, D. Hugh Redelmeier via talk wrote:
| > Odd: googling seems to suggest that the only way to turn off SB on Asus
| > boards is to delete the PK key. If you are going to do this, please save
| > the key first in case you need to restore it.
| ... I'll save the key
| in several places just in case.
The key is a Public Key. It isn't a secret. You can probably copy it
from any modern PC in the universe, assuming it is formatted
identically. So extreme care may not be needed.
Typing it in would be painful.
| I guess Arch Linux doesn't have any arrangment with Microsoft.
As I understand it, Arch would only have to talk to Red Hat. My guess
is that Arch would have to present a binary to be signed by RH, and
then shim.efi would be willing to load it. But the process is fairly
rigid so as not to dilute the meaning of Secure Boot. So user-built
kernels probably cannot be loaded. Nor can kernels with tainted
drivers.
You could add your own key to the firmware setup. Then you could sign
your own kernels. I don't know of any individual being that fastidious.
More information about the talk
mailing list