On Mon, Jun 14, 2021 at 4:45 AM Thomas Schmitt <scdbac...@gmx.net> wrote:
> Hi, > > Greg Wooledge wrote: > > > > Secure Boot (Microsoft's attempt to stop you from using Linux) > > Andrei POPESCU wrote: > > > While I'm not a fan of Microsoft: > > > https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3 > > > "Microsoft act as a Certification Authority (CA) for SB, and they will > > > sign programs on behalf of other trusted organisations so that their > > > programs will also run." > > to...@tuxteam.de wrote: > > - do you know any other alternative CA besides Microsoft > > - is there any internationally legal binding of Microsoft > > Actually it is the mainboard producers and possibly the CPU producers who > decide who is in charge as CA. > Further they decide whether the firmware offers the possibility to disable > Secure Boot or to become your own CA. > > > https://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot > shows how it should be in an ideal world. Of course this is still expert's > work. > > I myself would see few reason not to disable Secure Boot on my own machines > if necessary. But currently it does not even hamper kernel experiments. > (Dunno whether this is intended by Debian and kernel source code or > whether my test machine is just not as secure as its EFI pretends to be. > My experiments happen in kernel modules like sr, cdrom, isofs. Maybe a > change in the kernel's core would meet more distrust.) > > I agree with Andrei POPESCU that Secure Boot is not really for the purpose > of hampering free operating systems, although it causes extra workload on > those who intend to support this boot procedure. > Secure Boot is rather the modern attempt to make systems safe against > simple hardware manipulations. The old way was to seal the USB ports by a > hot glue gun and to use security screws at the side plates of the box. > > It is unfortunate that Intel and Microsoft could not bring themselves to > create an independent institution which authorizes the legitimate > boot programs which are acceptable by default. > > ------------------------------------------------------------------------ > As we are already off topic: > > I agree to Greg Wooledge's overview of x86 boot firmware, as far as > Debian installation is concerned. > > I have some nitpicking on technical details, though, which i did not post > because it would not be relevant to the initial topic. > > Greg Wooledge wrote: > > UEFI booting requires a GPT disk label (partition table type), > > No. UEFI specifies the formats of both, MBR partition table and GPT. > In both partition table types it specifies an identifier for the EFI > partition. (Type 0xEF for MBR partition table, > Type GUID C12A7328-F81F-11D2-BA4B-00A0C93EC93B for GPT.) > > There exist some few UEFI firmware implementations which do not obey > the specs and ignore MBR partition tables. > > > > and one of the partitions on the disk must be an EFI partition. > > Actually there is no UEFI implementation known which would not peek into > any recognized partition with a FAT filesystem, whether there is \EFI\BOOT > with the matching BOOT*.EFI file. > This seems to be a quirk which is protected by Microsoft Inc. > > Whether a partition is used automatically for booting or whether it is > offered at all as bootable, is a matter of UEFI implementation and > settings. > Okay. I am running Debian Bullseye (selected earlier, during its testing phase, because I needed its level of QEMU to import a VM from Mint 20's QEMU: Buster's QEMU refused). My computer is an HP EliteDesk 705 G1-SFF. I have a special requirement to run a Licenced version of Windows 10 Pro as a QEMU/KVM Guest. I have already set up QEMU GCOW2 files as gpt and partitioned them with UEFI environments, but only with Linux guests so far, as well as (in one instance) Refind. Does QEMU/KVM support setting up Secure Boot, in a way that passes Microsoft Muster? Okay, I may be finding my own answers, via a Super User web page on this, using Manjaro and ovmf: https://superuser.com/questions/1389103/windows-10-uefi-physical-to-kvm-libvirt-virtual And now I see that Bullseye has ovmf available as a package. So this will be my next Project. I guess I am asking if anyone on this list has been successful with a virtualized Secure Boot that Microsoft likes? Have a nice day :) > > Thomas > Many thanks! Kenneth Parker
