So I decided to protect my Linux system with Secure Boot. I've generated own certificates, didn't add Microsoft keys because I thought I don't need them since I'm using Linux in a single boot configuration. I signed bootloader, kernel image, enrolled keys and everything went smooth so far. After a while I decided to try loading Arch Linux live image, and surprisingly it loaded, only in BIOS mode. I figured out that it's some compatibility option that allows legacy boot records to load on modern systems. "Well, it's better to turn it off to enhance security" I thought. And this is when shit hit the fan. After disabling CSM I couldn't boot into UEFI firmware yet my Linux system was booting just fine. What the fuck? TURNS OUT things such firmware and UEFI GPU drivers have to be signed by secure-boot accepted keys AS WELL, and this GPU ROM is only signed by Microsoft key.So, if I don't want to dump my GPU ROM, evaluate it hash and write it to db and do such retarded nonsense every time I upgrade my GPU I have to add Microsoft key, literally allowing any Microsoft distribution to run on my machine. Furthermore, no GPU developer can write a ROM without asking for Microsoft permission, even if they never intended to make drivers for Windows.Why didn't any antimonopoly service such as FTC fucked them over? It's basically a definition of monopolistic behavior.
>>107614079I don't have this problem. I only sign the bootloader. Works on my machine.
>>107614079>Furthermore, no GPU developer can write a ROM without asking for Microsoft permission, even if they never intended to make drivers for WindowsWhich GPU "developer" does this though?
>>107614079>Why didn't any antimonopoly service such as FTC fucked them overlmaogeek thinks laws apply to rich peoplecute
>>107614096If you only sign bootloader then your secure boot doesn't work properly. It must fail when you try to load unsigned efi binary.
>>107614079The world at large hasn't quite realized how fucked the situation is, so there's little call for legislation and little other forms of pressure being applied. In a way - we're in 'fuck-about' territory still. But don't worry - we're about to head into 'find-out' territory, because MS's secure boot keys are going to expire in 2026 and there's a lot of consumer and small-business grade hardware out there on which MS cannot get the automated enrollment of their new keys working properly.
No clue what you're talking about, sbctl just works with custom keys.
>>107614380Did you enroll Microsoft keys? If no try to disable CSM in your boot settings (but have a USB drive with your mobo bios first so you can offline flash your UEFI BIOS afterwards)
is GPU firmware a different thing from ROM?
>>107614339
>>107614339Remember the political shitstorm after Crowdstrike left businesses up shit-creak for a day?Remember the outrage over Windows 11 disqualifying hardware that was still perfectly fine because of muh-TPM?Imagine what will happen if one innocent morning in 2026 millions of consumers and small businesses are pushed a Windows Update that has the new keys in the bootloader, where they fall victim to Microsoft's shit-code arbitrarily failing to enroll those keys in the mobo; and subsequently their machines refusing to start.Remember - disabling Secureboot isn't an option; Windows 11 requires it enabled. Won't start without it.But you can't enable it, because the UEFI doesn't acknowledge the key the bootloader is signed with.And you cannot receive any automated patches onto your Windows system to fix it - because Windows WILL NOT BOOT.
>>107614521YesGPU firmware is located in linux-firmware packages and loaded later on boot into GPU itself so kernel driver can interact with GPUGPU ROM or GPU UEFI drivers are loaded with the firmware and used to display things like UEFI BIOS user interface, boot splash etc. Without loading GPU ROM you basically can't interact with BIOS at all!
>>107614613you dont need windows or any os whatsoever for automated patch thanks to vPro/AMT or whatever that's called but I assume there's not many businesses using those enterprise grade pcs, at least in the outside of the west. Also I didnt understand where you were saying you need Windows to boot up to change secure boot/UEFI settings
>>107614721>you dont need windows or any os whatsoever for automated patch thanks to vPro/AMTSo basically his statement still stands because of a lot of consumer and small business hardware is not vPro/AMT?>Also I didnt understand where you were saying you need Windows to boot up to change secure boot/UEFI settingsSo you expect regular users to somehow acquire USB drive with new Secure Boot keys and enroll them manually?
>>107614339>>107614613iot systems which are isolated from network and never updooted should have no problem if the bootloader is not altered after key expiration. if those systems use secure boot at all.home linux users have always a possibility to disable secure boot.
>>107614766>So basically his statement still stands because of a lot of consumer and small business hardware is not vPro/AMT?yes>So you expect regular users to somehow acquire USB drive with new Secure Boot keys and enroll them manually?I understood the word 'can't' in the literal sense
>>107614613Windows 11 works just fine without secure boot
>>107614079You only need to sign the bootloader, kernel, and initramfs.There's an optional ability for Linux to force all modules to be signed, but that has to be enabled at compile time IIRC.If you use grub, you might need to sign the kernel and initramfs with a GPG key, instead of your secure boot key. You could directly boot Linux as an EFI file, and then you might not need any extra signing, as grub is what enforced the GPG signging if secure boot is enabled.
>>107614244nope. you don't have to sign shit that chainloads. this is literally how shim loaders work.you're just too retarded to figure it out. also secure boot isn't really useful in the first place if you're not using tpm for full disk encryption.
