On Fri, Jul 10, 2020 at 07:18:06AM -0400, Neal Gompa wrote: > I don't know this for sure, but from what I've heard, that last point > (user management of keys) is no longer a requirement, as is being able > to disable Secure Boot. Some of my friends have reported getting > laptops from some big vendors without the ability to do either in the > last couple of years.
The System.Fundamentals.Firmware.UEFISecureBoot section of the current WHCP v2004 documentation  states that: "For devices that are designed to always boot with a specific secure boot configuration, the two requirements ... to support Custom Mode and the ability to disable Secure Boot are optional." (Custom mode: "It shall be possible for a physically present user... to modify the contents of the secure boot signature databases and the PK...") (Enable/Disable: "A physically presnet user must be allowed to disable secure boot via firmware setup... programmatic disabling of secure boot during boot services or after exiting boot services MUST NOT be possible") Note that "specific secure boot configuration" and "locked down platforms" are not defined in this document, but appears to only apply to ARM-based platforms] Additionally, in System.Fundamentals.Firmware.UEFICompatibility "All Windows systems must boot in UEFI mode by default. Other requirements may add additional sections of compatibility to this list, but this is the baseline." "All systems, except servers, must be certified in UEFI mode without activating CSM. If a system is available with 32bit and/or 64bit UEFI, both configurations must be tested for certification." And in System.Fundamentals.Firmware.UEFILegacyFallback: "If the system ships with a UEFI-compatible OS, system firmware must be implemented as UEFI and it must be able to achieve UEFI boot mode by default. Such a system may also support fallback to legacy BIOS boot on systems with OS which do not support UEFI, but only if the user selects that option in a pre-boot firmware user interface. Legacy option ROMs also may not be loaded by default." "An OEM may not ship a 64-bit system which defaults to legacy BIOS ... if that systems ships with a UEFI-compatible OS" The language about servers is a bit muddled but it seems to say that if you're going to ship a 64-bit Windows install it needs to default to, and be certified with, CSM-less UEFI booting. Secure boot is not a requirement for servers.  https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies - Solomon -- Solomon Peachy pizza at shaftnet dot org (email&xmpp) @pizza:shaftnet dot org (matrix) High Springs, FL speachy (freenode)
Description: PGP signature
_______________________________________________ devel mailing list -- firstname.lastname@example.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://email@example.com