[GTALUG] New Build Computer?
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Mon Jul 27 16:32:13 EDT 2020
On Mon, Jul 27, 2020 at 01:57:02PM -0400, D. Hugh Redelmeier via talk wrote:
> Secure Boot:
>
> Microsoft requires PC hardware to be shipped with Secure Boot enabled. I
> think that they also require that it be possible to disable it (but only
> manually, not by program).
>
> Secure boot requires that there be a cryptographically authenticated
> unbroken chain of things that lead to loading the OS. Authentication of
> things loaded by the UEFI amounts to being signed by a key for which the
> firmware knows the public key.
>
> The only public key most UEFI firmware knows is controlled by
> Microsoft. Red Hat has arranged for Microsoft to sign a loader that
> will then load other things: shim.efi. Red Hat made this available to
> any other Linux Distro, I think.
>
> Some other Linux systems have adopted this. For example, UBUNTU and SuSE.
> I don't know if your distro has.
>
> Suggestion: disable secure boot and continue your experiments. I know you
> said that you cannot find the setting, but it must be there somewhere in
> the firmware setup screen.
>
> Odd: googling seems to suggest that the only way to turn off SB on Asus
> boards is to delete the PK key. If you are going to do this, please save
> the key first in case you need to restore it.
No need. There is a load default keys option to restore the microsoft
keys.
--
Len Sorensen
More information about the talk
mailing list