On Fri, Jul 10, 2020 at 07:18:06AM -0400, Neal Gompa wrote:
> I don't know this for sure, but from what I've heard, that last point
> (user management of keys) is no longer a requirement, as is being able
> to disable Secure Boot. Some of my friends have reported getting
> laptops from some big vendors without the ability to do either in the
> last couple of years.

The System.Fundamentals.Firmware.UEFISecureBoot section of the current 
WHCP v2004 documentation [1] states that:

"For devices that are designed to always boot with a specific secure 
 boot configuration, the two requirements ... to support Custom Mode 
 and the ability to disable Secure Boot are optional."

(Custom mode: "It shall be possible for a physically present user...  to 
 modify the contents of the secure boot signature databases and the PK...")

(Enable/Disable: "A physically presnet user must be allowed to disable 
 secure boot via firmware setup... programmatic disabling of secure boot 
 during boot services or after exiting boot services MUST NOT be 

Note that "specific secure boot configuration" and "locked down 
platforms" are not defined in this document, but appears to only apply 
to ARM-based platforms]

Additionally, in System.Fundamentals.Firmware.UEFICompatibility

"All Windows systems must boot in UEFI mode by default. Other 
 requirements may add additional sections of compatibility to this list, 
 but this is the baseline."

"All systems, except servers, must be certified in UEFI mode without 
 activating CSM. If a system is available with 32bit and/or 64bit UEFI, 
 both configurations must be tested for certification."

And in System.Fundamentals.Firmware.UEFILegacyFallback:

"If the system ships with a UEFI-compatible OS, system firmware must be 
 implemented as UEFI and it must be able to achieve UEFI boot mode by 
 default. Such a system may also support fallback to legacy BIOS boot on 
 systems with OS which do not support UEFI, but only if the user selects 
 that option in a pre-boot firmware user interface. Legacy option ROMs 
 also may not be loaded by default."

"An OEM may not ship a 64-bit system which defaults to legacy BIOS ... 
 if that systems ships with a UEFI-compatible OS"

The language about servers is a bit muddled but it seems to say that if 
you're going to ship a 64-bit Windows install it needs to default to, 
and be certified with, CSM-less UEFI booting.  Secure boot is not a 
requirement for servers.


 - Solomon
Solomon Peachy                        pizza at shaftnet dot org (email&xmpp)
                                      @pizza:shaftnet dot org   (matrix)
High Springs, FL                      speachy (freenode)

Attachment: signature.asc
Description: PGP signature

devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to