undefined | Better HN

0 pointshackmiester5y ago0 comments

It was hard to read past the attitude that Secure Boot is the enemy. That’s just not the case, and if the author believes it is, it kind of undermines their expertise/the rest of the writing.

0 comments

reanimus5y ago

Yeah, hemming and hawing over whether or not an x86/64 PC can disable Secure Boot in 2020 is a bit silly when it's been a certification requirement by Microsoft for ages

vxNsr5y ago

As someone who knows little to nothing about UEFI except what I read on these types of blogs and comments, what do you mean that secure boot is no longer an issue? and that it's been a certificate requirement by microsoft?

easton5y ago

Microsoft has always required (on x86, ARM is different) that for Windows logo certification Secure Boot must be able to be disabled, you must trust Microsoft’s CA and the third-party CA that they run (and that Red Hat/Ubuntu/Debian use to sign their builds) and that the user must be able to load their own keys. This means that any x86 device sold with UEFI Secure Boot can still boot Linux (or if it can’t, it’s not Secure Boot’s fault).

https://docs.microsoft.com/en-us/windows/security/informatio...

1 more reply

Arnavion5y ago

https://docs.microsoft.com/en-us/windows/security/informatio...

>All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot:

> - They must have Secure Boot enabled by default.

> - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).

> - They must allow the user to configure Secure Boot to trust other bootloaders.

> - They must allow the user to completely disable Secure Boot.

The last two points in particular. It's been this way since SB was introduced.

Note that this requirement does not apply to non-x86 devices. In particular, ARM devices (Windows RT) are explicitly required to disallow SB from being disabled, to meet the certification requirement.

1 more reply

raxxorrax5y ago

I don't think it is hard to read past it and I don't think there are only positive sides. If it stays an optional component it might be true, but it would be naive to just let this be the only perspective in hindsight of development of closed systems like smartphones.

hackmiesterOP5y ago

But the author states that they still use computers from before 2012 because they are avoiding EFI. Why?

From 2012 until present, computers have been produced that run any EFI binary you want. Why not buy one of those? It's no different than sticking with pre-2012 machines, except you aren't attached to cruft from the 1980s anymore.

j / k navigate · click thread line to collapse

0 comments

reanimus5y ago

Yeah, hemming and hawing over whether or not an x86/64 PC can disable Secure Boot in 2020 is a bit silly when it's been a certification requirement by Microsoft for ages

vxNsr5y ago

easton5y ago

https://docs.microsoft.com/en-us/windows/security/informatio...

1 more reply

Arnavion5y ago

https://docs.microsoft.com/en-us/windows/security/informatio...

>All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot:

> - They must have Secure Boot enabled by default.

> - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).

> - They must allow the user to configure Secure Boot to trust other bootloaders.

> - They must allow the user to completely disable Secure Boot.

The last two points in particular. It's been this way since SB was introduced.

1 more reply

raxxorrax5y ago

hackmiesterOP5y ago

But the author states that they still use computers from before 2012 because they are avoiding EFI. Why?

j / k navigate · click thread line to collapse