[vetinari]

He frames it differently; more optimistic than the reality on the ground. He is also conflating things in a way that does not work (just because Intel ships something does not means that it is a standard to benchmark compliance to spec against it; it creates unnecessary confusion. Intel has a right to implement things above the spec, but it does not mean that spec mandates such things).

You can ship your own filesystems, volume managers, device drivers... but they should be signed with a key trusted by Secure Boot, if you want them to be useful at all. Most users are not going to disable SB for your snowflake of efi binary; especially if it is OS installer.

As a result, nobody (nobody in Spolsky's sense) really bothers. When you are shipping bootable media, fat is good enough. It will boot your binary, do stuff it is supposed to do, and everybody goes on with their lives.

[Macha]

> Most users are not going to disable SB for your snowflake of efi binary; especially if it is OS installer.

We have very different experiences, I must say. Mine is that Linux installers that do support Secure Boot are having to go out of their way to point that out to users because people are just disabling secure boot as step 0 by default.

[rcxdude]

That same page claims that disabling secure boot is no longer necessary (though most users are in fact used to it by now). It very much seems like the feature does actually just work in most cases.