Clarify the policy with UEFI "secure boot" and restricted boot
Updated by GNUtoo about 1 year ago
I was told on IRC that the Parabola project took a decision some (years?) ago on if it should support UEFI "secure boot" or "restricted boot". However a quick search on the wiki didn't show information on that.
Knowing why that decision was taken would be interesting.In addition, just being sure of the outcome and current state of implementation this has some impact on maintenance and the documentation, for instance:
- Recent security bugs in GRUB have some impact UEFI "secure boot" and/or restricted boot: If some older signed GRUB are blacklisted, and that users use them, and that their boot software (UEFI) is updated, then they will stop being able to boot.
- If Parabola doesn't support UEFI "secure boot" or "restricted boot", it could be mentioned in the wiki. Before the Windows 8 certifications made sure that users could disable UEFI secure boot. So people getting computers with such certifications could at least be sure to be able to disable secure boot. However with the Windows 10 certification, that is not required anymore1. So we would need to at least warn users not to buy computers where it can't be disable and/or make them enroll their own keys or Parabola's keys, and find a way for users to contribute to a project listing on which computers (along with the boot software(UEFI) version) let or don't let users disable secure boot.