You are not logged in.
Pages: 1
As of 2022 all new Lenovo machines require that the 3rd party UEFI SecureBoot certificate used by Linux distributions (including De{bi,vu}an) be authorised from the firmware ("BIOS") options. No Linux installer will boot on the machines until this is done.
Reference: https://download.lenovo.com/pccbbs/mobi โฆ re_PCs.pdf
Looks like this is a requirement enforced by Microsoft and so might apply to all manufacturers. Nice.
Brianna Ghey โ Rest In Power
Offline
What else would you expect but the tightening of the noose?
Offline
The only surprise is that this did not happen much earlier!
*๐๐๐๐๐๐!*
Offline
That'll most likely turn more people over to other platforms, like Chromebooks, Apple Arm, & other ARM based like Raspberry Pi, or even to the new RISC machines that seem to be slowly appearing - typical MS tactics to try to keep people locked in!!!
WAKE UP MANUFACTURERS, there are other Operating Systems, better than 'Windows', to put on your equipment.
Last edited by Camtaf (2022-07-09 08:55:46)
Online
As an option what about the system76 machines that come preloaded with pop os? I know they are systemd but that can be fixed once the machine is in hand surely?
Offline
ThinkPads preinstalled with Linux (or supplied without an operating system, as mine was) will already have 3rd party certificates enabled so I presume that would also be true for other Linux laptop vendors. Thankfully.
Brianna Ghey โ Rest In Power
Offline
But this can be disabled? So i have read. Is it a case of a certain threat model in regards to not having secure boot enabled? And is the option in the bios to disable secure boot no longer available?
Offline
But this can be disabled?
The user can disable 3rd party certificates, yes. I've removed all manufacturer-supplied certificates from my machine and just use a single certificate I created.
Some devices (usually discrete GPUs) can require the official Microsoft certificate to be allowed for their pre-installed firmware but the hash can be read from the TPM chip and enrolled into the SecureBoot database. Or so I have read :-)
is the option in the bios to disable secure boot no longer available?
The seems to be present in the PDF to which I linked in the OP. So far.
Last edited by Head_on_a_Stick (2022-07-09 09:47:37)
Brianna Ghey โ Rest In Power
Offline
kyuss wrote:But this can be disabled?
The user can disable 3rd party certificates, yes. I've removed all manufacturer-supplied certificates from my machine and just use a single certificate I created.
Some devices (usually discrete GPUs) can require the official Microsoft certificate to be allowed for their pre-installed firmware but the hash can be read from the TPM chip and enrolled into the SecureBoot database. Or so I have read :-)
kyuss wrote:is the option in the bios to disable secure boot no longer available?
The seems to be present in the PDF to which I linked in the OP. So far.
Where can i read/learn about user created certificates, what would be the best source in your opinion?
Offline
Brianna Ghey โ Rest In Power
Offline
Pages: 1