| |||||||||||||
Concur with other comments re: restricted bootConcur with other comments re: restricted bootPosted Jan 1, 2013 21:47 UTC (Tue) by Lennie (subscriber, #49641)In reply to: Concur with other comments re: restricted boot by gregkh Parent article: The H Year: 2012's Wins, Fails and Mehs
"The Microsoft's UEFI rules _require_ that you be able to install your own keys."
No you are wrong, here are the 2 policies for OEMs:
- on ARM: secure boot enabled, Microsoft keys install and NO way to disable secure boot and NO way to install user supplied keys. In practise this means you can't even install Linux, even when signed !, on Windows RT/ARM-device like the "Surface": http://mjg59.dreamwidth.org/21189.html
(Log in to post comments)
Concur with other comments re: restricted boot Posted Jan 8, 2013 6:00 UTC (Tue) by Jonno (subscriber, #49613) [Link]
Actually, you are also wrong:
- on x86/AMD64: secure boot enabled by default, Microsoft keys installed and a way to (1) disabled secure boot *OR* (2) install user supplied keys
I predict most consumer motherboards will offer (1) but not (2), while most enterprise motherboards will offer (2) but not (1)...
Concur with other comments re: restricted boot Posted Jan 8, 2013 15:42 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
No, both are required for all x86 systems.
Concur with other comments re: restricted boot Posted Jan 8, 2013 18:23 UTC (Tue) by nix (subscriber, #2304) [Link]
Really? Someone better tell Asus then, because my six-month-old motherboard has UEFI boot and a disableable Secure Boot (off by default), but no way to install your own keys. (That I could determine: both the BIOS screen and the motherboard manual are the typical Asus near-incomprehensible scrambled pseudo-English, so I may have overlooked something, only they never use the words 'secure boot' in the manual at all, so they're being very subtle in their docs if so...)
(This is the same motherboard that uses a custom sensor chip built for Asus only, where both Asus and the chip manufacturer refuse to provide any documentation on the grounds that they are prohibited from doing so by an NDA with the other party. Neat trick.)
Concur with other comments re: restricted boot Posted Jan 8, 2013 18:26 UTC (Tue) by mjg59 (subscriber, #23239) [Link]
It depends on how they implement "disable" - if it handles it by just clearing the platform key, the user can then install keys using the standard SetVariable() calls. But if it's 6 months old, it's probably also not Windows 8 certified.
Concur with other comments re: restricted boot Posted Jan 9, 2013 18:51 UTC (Wed) by nix (subscriber, #2304) [Link]
Since disabling is an operation you can undo, it's probably not done by clearing anything (though it might be a temporary removal).
More likely, it's just not Windows 8 certified as you suggest. That does rather suggest that 'all x86 platforms' will do whatever the hell ugly hacks their BIOS/mobo vendors want, though. Asus is not a small mobo vendor...
Concur with other comments re: restricted boot Posted Jan 9, 2013 20:12 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
Enable may just be restoring the default keys. Alternatively, enable may enable it without installing any keys, leaving that up to the end user. This is why we ended up going with a solution that doesn't depend on the motherboard offering any specific set of options.
|
|||||||||||||