[vladvasiliu]

Secure Boot by itself is plenty open and user maintainable. On my HP laptop I only have my own keys installed and it only boots my particular Linux install. It won't boot Windows at all nor regular Linux distros like Ubuntu. Other manufacturers intentionally limit their hardware, but that's nothing new, really.

This particular issue is not so much about being able to manage the certificates in Secure Boot. Rather, you can't revoke the old signatures because many people rely on media having them (legitimately) and expect to be able to boot from that media. So now, those systems will boot anything with the old signature, such as a compromised windows bootloader that will happily accept some malware if asked nicely.

[csdvrx]

> It won't boot Windows

You can sign the Windows bootmg efi files with your own keys if you want.

[vladvasiliu]

According to the arch wiki that doesn't always work so well (didn't try it, though). But what does, is signing the MS certificate with your own key. I do that on my work laptop and it works well. I don't need windows on my personal one.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

[datadeft]

Do you have a detailed article about this? I am trying to set up something like you mentioned

[vladvasiliu]

The page seems to have changed since I've set this up, but this is what I've followed: https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

The advice around the keys and signing is pretty generic. What's arch specific are the various integrations with the package manager than handle automatic signing of the kernel image after an upgrade.

Lower on the page there's a section about signing MS's certificates, so you can dual-boot windows while using your own keys. I have that setup on my work laptop and it works fine.

[marketingLizard]

Sounds like it's pretty garbage though. Given that it's currently broken. How can my computers security depend on MS like that? Theyre not interested in my interests. I think I'll see if now I can replace it with something thats less conflicted, like coreboot.

Can't wait until the other various secure enclave gets hacked so I can get rid of them too.

[vladvasiliu]

If you don't want to use it, can't you just disable it?

Again, this isn't a failure of secure boot, but a windows security issue. Basically you can't prevent something from running (the bootloader) if you want to be able to... run it.

Getting rid of secure boot and friends wouldn't change anything to this situation. Either you consider you're unlikely to be infected by black lotus or something similar, in which case you're fine (with SB enabled or disabled). Or you can be infected, in which case disabling secure boot doesn't actually do anything, since the rootkit will run fine without it.

What is broken in this particular situation is not secure boot but the windows bootloader.

[marketingLizard]

If I can fully erase it, that's what I'll do. Disabling it is a comprise from a weakened position.