undefined | Better HN

0 pointsreanimus5y ago0 comments

Yeah, hemming and hawing over whether or not an x86/64 PC can disable Secure Boot in 2020 is a bit silly when it's been a certification requirement by Microsoft for ages

0 comments

vxNsr5y ago

As someone who knows little to nothing about UEFI except what I read on these types of blogs and comments, what do you mean that secure boot is no longer an issue? and that it's been a certificate requirement by microsoft?

easton5y ago

Microsoft has always required (on x86, ARM is different) that for Windows logo certification Secure Boot must be able to be disabled, you must trust Microsoft’s CA and the third-party CA that they run (and that Red Hat/Ubuntu/Debian use to sign their builds) and that the user must be able to load their own keys. This means that any x86 device sold with UEFI Secure Boot can still boot Linux (or if it can’t, it’s not Secure Boot’s fault).

https://docs.microsoft.com/en-us/windows/security/informatio...

hda25y ago

That used to be the case for x86, but not anymore: https://www.zdnet.com/article/microsoft-to-stop-linux-older-...

1 more reply

Arnavion5y ago

https://docs.microsoft.com/en-us/windows/security/informatio...

>All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot:

> - They must have Secure Boot enabled by default.

> - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).

> - They must allow the user to configure Secure Boot to trust other bootloaders.

> - They must allow the user to completely disable Secure Boot.

The last two points in particular. It's been this way since SB was introduced.

Note that this requirement does not apply to non-x86 devices. In particular, ARM devices (Windows RT) are explicitly required to disallow SB from being disabled, to meet the certification requirement.

morganvachon5y ago

"They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed)."

This one in particular always pissed me off, and I'm glad it only applies to pre-built machines that come with Windows 10 preinstalled. If the individual motherboard makers ever decide they need to be "certified for Windows 10" and start auto-trusting a certificate for closed-source commercial software, I'm left with no choice but to either stick with my "old" (not really that old) hardware or switch to another platform like POWER9.

2 more replies

j / k navigate · click thread line to collapse

0 comments

vxNsr5y ago

easton5y ago

https://docs.microsoft.com/en-us/windows/security/informatio...

hda25y ago

That used to be the case for x86, but not anymore: https://www.zdnet.com/article/microsoft-to-stop-linux-older-...

1 more reply

Arnavion5y ago

https://docs.microsoft.com/en-us/windows/security/informatio...

>All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot:

> - They must have Secure Boot enabled by default.

> - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).

> - They must allow the user to configure Secure Boot to trust other bootloaders.

> - They must allow the user to completely disable Secure Boot.

The last two points in particular. It's been this way since SB was introduced.

morganvachon5y ago

"They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed)."

2 more replies

j / k navigate · click thread line to collapse