Lenovo are now shipping (some) laptops that only boot Windows by default
"Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default. The apparent secured-core requirement for 2022 is that the second of these CAs should not be trusted by default. As a result, drivers or bootloaders signed with this certificate will not run on these systems. This means that, out of the box, these systems will not boot anything other than Windows[1]." https://mjg59.dreamwidth.org/60248.html ... are we surprised? -- Eliot
On Wed, 13 Jul 2022 13:57:33 +1200, Eliot Blennerhassett wrote:
From another source <https://www.theregister.com/2022/07/11/lenovo_secured_core/>, there is
I like this bit: So, to have Microsoft, the self-appointed steward of the UEFI Secure Boot ecosystem, turn round and say that a bunch of binaries that have been reviewed through processes developed in negotiation with Microsoft, implementing technologies designed to make management of revocation easier for Microsoft, and incorporating fixes for vulnerabilities discovered by the developers of those binaries who notified Microsoft of these issues despite having no obligation to do so, and which have then been signed by Microsoft are now considered by Microsoft to be insecure is, uh, kind of impolite? Especially when unreviewed vendor-signed binaries are still considered trustworthy, despite no external review being carried out at all. this Twitter comment: Just as a counter-example, we advocated very strongly to keep the 3rd party UEFI CA in our default DB for all configs to support customer flexibility. You'll have to figure out who else was in the room for these conversations for yourself... #iwork4dell
participants (2)
-
Eliot Blennerhassett -
Lawrence D'Oliveiro