On Mon, Jul 27, 2020 at 01:57:02PM -0400, D. Hugh Redelmeier via talk wrote: > Microsoft requires PC hardware to be shipped with Secure Boot enabled. I > think that they also require that it be possible to disable it (but only > manually, not by program). > > Secure boot requires that there be a cryptographically authenticated > unbroken chain of things that lead to loading the OS. Authentication of > things loaded by the UEFI amounts to being signed by a key for which the > firmware knows the public key. > > The only public key most UEFI firmware knows is controlled by > Microsoft. Red Hat has arranged for Microsoft to sign a loader that > will then load other things: shim.efi. Red Hat made this available to > any other Linux Distro, I think. > > Some other Linux systems have adopted this. For example, UBUNTU and SuSE. > I don't know if your distro has. > > Suggestion: disable secure boot and continue your experiments. I know you > said that you cannot find the setting, but it must be there somewhere in > the firmware setup screen. > > Odd: googling seems to suggest that the only way to turn off SB on Asus > boards is to delete the PK key. If you are going to do this, please save > the key first in case you need to restore it.
Thanks! That is an admirably clear description of Secure Boot, which makes it seem like, well, like not a crazy idea. Yes, I'm pretty sure Secure Boot is the culprit. Googling tells me that I can only disable it on the Asus Prime X570-Pro motherboard by deleting the keys listed under "Key Management" (or at least the PK key), which I was hesitant to try -- it seemed like a one-way street -- but I'll save the key in several places just in case. I guess Arch Linux doesn't have any arrangment with Microsoft. -- Peter King [email protected] Department of Philosophy 170 St. George Street #521 The University of Toronto (416)-946-3170 ofc Toronto, ON M5R 2M8 CANADA http://individual.utoronto.ca/pking/ ========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
signature.asc
Description: PGP signature
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
