Hey why are you shipping laptops that don't trust the Microsoft 3rd party UEFI CA by default
17
41
228
Conversation
Basically any security technology can be abused to restrict user freedom - that means we need to push back against such abuses, not that we should necessarily reject the technologies in the first place
1
51
Needing to manually enable trusting third party boot chains is a minor inconvenience at most and not a restriction on what you can do. Their ecosystem has almost entirely theatrical implementations of secure boot and attestation. Many things would have to be fixed, this is one.
1
3
Proper approach would be only trusting first party boot chain by default, having a very easy way for users to add public key of other operating systems and filling in all the stuff that's missing like downgrade protection for secure boot itself. Attestation doesn't replace it.
It's an incomplete implementation of secure boot where there are multiple things missing for both firmware and the OS. One of the things they would need to do to turn it into a serious implementation is exactly this. Shim bootloader has no place in a serious implementation of it.
2
2
If a laptop is shipped with a Linux distribution, it should only trust the key for that specific Linux distribution by default. Same thing applies to Windows. Having whole bunch of trusted parties by default and all kinds of trivial bypasses SHOULD get fixed along with the rest.
1