A yes, the fun times of a baby haha. Enjoy! :p
Anyway, Secure boot itself was designed by the eufi consortium, which is a group of pc tech companies, to help make sure devices only boot what it can trust. Good on paper and in practice but…
back in circa 2011 microsoft had enforced any pc that wanted to be windows 8 certified ( and get the sticker ) to require secure boot to be enabled together with fastboot. All motherboards needed to have a tpm module with only the microsoft certificate in it. This meant that booting from a usb or cd was completely off the table and you could just not install linux, period.
And even if you did, the kernels or bootloaders were not signed so they would be refused by the bios/eufi.
This was a big thing back then, and canonical and redhat tried and found a few ways around it, and so did some individuals.
But afaik the linux foundation ( which microsoft is part of, funnily enough ) made some binaries that were signed and allowed linux to boot under secure boot, including usb/cd.
Iirc, during the linux installation the distro will add its certificate to the tpm so that kernels signed by the distro boot fine.
To this day, without those binaries from the foundation, it would be impossible to boot linux with secure boot and can still cause issues when dual booting and having bitlocker enabled for example. Bitlocker detects a changed boot state (by grub) and says fuck that, give me the recovery key or i aint decrypting this.
Yup!
And now we are facing the problems many sys admins face every day all over the world: certificate expirations!
Though instead of https(ssl) certificate of a server expiring, its the certificate used to validate what secure boot boots.
Thats what the article is about
A yes, the fun times of a baby haha. Enjoy! :p
Anyway, Secure boot itself was designed by the eufi consortium, which is a group of pc tech companies, to help make sure devices only boot what it can trust. Good on paper and in practice but…
back in circa 2011 microsoft had enforced any pc that wanted to be windows 8 certified ( and get the sticker ) to require secure boot to be enabled together with fastboot. All motherboards needed to have a tpm module with only the microsoft certificate in it. This meant that booting from a usb or cd was completely off the table and you could just not install linux, period.
And even if you did, the kernels or bootloaders were not signed so they would be refused by the bios/eufi.
This was a big thing back then, and canonical and redhat tried and found a few ways around it, and so did some individuals.
But afaik the linux foundation ( which microsoft is part of, funnily enough ) made some binaries that were signed and allowed linux to boot under secure boot, including usb/cd.
Iirc, during the linux installation the distro will add its certificate to the tpm so that kernels signed by the distro boot fine.
To this day, without those binaries from the foundation, it would be impossible to boot linux with secure boot and can still cause issues when dual booting and having bitlocker enabled for example. Bitlocker detects a changed boot state (by grub) and says fuck that, give me the recovery key or i aint decrypting this.
Here is a google search if you want dig deeper, it should all be from circa 2011-2012 :
https://www.google.com/?q=windows+8+oem+to+disable+linux
Wow! That doesn’t seem like a very nice thing of Microsoft to do! I would give them a hard stare if I could.
Yup! And now we are facing the problems many sys admins face every day all over the world: certificate expirations!
Though instead of https(ssl) certificate of a server expiring, its the certificate used to validate what secure boot boots.
Thats what the article is about
This is like Y2K all over again