> They actually advise OEMs not to install this second key by default ("Secured Core" PCs), and some vendors have followed the advice, such as Lenovo. Resulting in yet another hoop to install non-MS OSes.
True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust [0]. On my "Secured-Core" ARM ThinkPad T14s it's a simple toggle option.
> Even recently, a Windows updated added a number of Linux distributions to the Secure Boot blacklist, resulting in working dual boot systems being suddenly cripped. Of course, _ancient_ MS OSes are never going to be blacklisted.
Actually they are in the process of blacklisting their currently used 2011 Windows certificate, i.e. the Microsoft cert installed on every pre-~2024 machine, also invalidating all Windows boot media not explicitly created with the new cert. It's a manually initiated process for now, with an automatic rollout coming later [1].
It'll be very interesting to watch how well that's going to work on such a massive scale. :)
> True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust
As I said, yet another increase in the number of hops for no reason.
Before you say anything else: until this you could install _signed_ Linux distributions without even knowing how to enter your computer's firmware setup. Now you can't.
The trend is obviously there. First, MS forced Linux distributions to go through arbitrary "security" hoops in order to be signed. Then, MS arbitrary altered the deal anyway. Even mjg59 ranted about this. And the only recourse MS offers to Linux distributions is to pray MS doesn't alter the deal any further.
Maybe at no point they will make it impossible on x86 PCs, but they just have to keep making it scary enough.
And in the meanwhile keep advertising how WSL fits all your Linux-desktop computing needs. While at the same time claim they have nothing against opensource.
> Actually they are in the process of blacklisting their currently used 2011 Windows certificate
No, they are NOT in the process, and that is precisely what I was referring to. They have not even announced when they are going to even start doing the process. All you quoted is instructions to do it manually. So I'll believe it when I see it.
And besides, just clearing the CMOS is likely to get you a nice ancient DBX containing only some grub hashes on it, and the Windows MS signature on DB. Not so much luck for the MS UEFI CA signature, as discussed above. So "recovery" will be trivial for Windows, not so much for anyone else..
True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust [0]. On my "Secured-Core" ARM ThinkPad T14s it's a simple toggle option.
> Even recently, a Windows updated added a number of Linux distributions to the Secure Boot blacklist, resulting in working dual boot systems being suddenly cripped. Of course, _ancient_ MS OSes are never going to be blacklisted.
Actually they are in the process of blacklisting their currently used 2011 Windows certificate, i.e. the Microsoft cert installed on every pre-~2024 machine, also invalidating all Windows boot media not explicitly created with the new cert. It's a manually initiated process for now, with an automatic rollout coming later [1].
It'll be very interesting to watch how well that's going to work on such a massive scale. :)
[0] https://learn.microsoft.com/en-us/windows-hardware/design/de...
[1] https://support.microsoft.com/en-us/topic/kb5025885-how-to-m...