Project

General

Profile

Housekeeping #2863

Clarify the policy with UEFI "secure boot" and restricted boot

GNUtoo - about 2 months ago - . Updated 28 days ago.

Status:
open
Priority:
bug
Assignee:
-
% Done:

0%

History

#1

Updated by GNUtoo about 2 months ago

I was told on IRC that the Parabola project took a decision some (years?) ago on if it should support UEFI "secure boot" or "restricted boot". However a quick search on the wiki didn't show information on that.

Knowing why that decision was taken would be interesting.

In addition, just being sure of the outcome and current state of implementation this has some impact on maintenance and the documentation, for instance:
  • Recent security bugs in GRUB have some impact UEFI "secure boot" and/or restricted boot: If some older signed GRUB are blacklisted, and that users use them, and that their boot software (UEFI) is updated, then they will stop being able to boot.
  • If Parabola doesn't support UEFI "secure boot" or "restricted boot", it could be mentioned in the wiki. Before the Windows 8 certifications made sure that users could disable UEFI secure boot. So people getting computers with such certifications could at least be sure to be able to disable secure boot. However with the Windows 10 certification, that is not required anymore1. So we would need to at least warn users not to buy computers where it can't be disable and/or make them enroll their own keys or Parabola's keys, and find a way for users to contribute to a project listing on which computers (along with the boot software(UEFI) version) let or don't let users disable secure boot.

1 https://en.wikipedia.org/wiki/Windows_10#cite_note-arstechnica-securebootw10-299

#2

Updated by bill-auger 28 days ago

  • Status changed from unconfirmed to open
  • Tracker changed from Bug to Housekeeping

Also available in: Atom PDF