Comment by mystifyingpoi
3 months ago
But what happened doesn't make sense even. Why would upgrading the BIOS suddenly restore the option to toggle Secure Boot? If the previous owner (assuming, some company) disabled this, why would it be so trivial (comparatively) to work around it?
I've seen laptops stuck in weird state. Most likely, Fujitsu didn't bother to test turning off secure boot once they received the BIOS they bought, and fixed the toggle in a firmware update.
Linux boots fine using standard secure boot, so if it refused it's either NixOS using an unsigned bootloader (which is surprising to me) or secure boot just being bugged to hell.
Another option is that NixOS uses secure boot but uses a signature that's too recent: one of the secure boot CAs is expiring soon, and an old BIOS may not carry the new key if NixOS opts to sign their bootloader with the latest key. This issue doesn't just affect Linux, certain Windows images won't boot on older devices either if this mismatch happens.
My bet is on NVRAM getting into a weird state or a buggy BIOS. That's the most obvious thing that would get fixed by updating the BIOS.
> why would it be so trivial
The trivial way would be just going into the UEFI (it's not the BIOS for 15 years but anyway) config and just disable Secure Boot (and proceed to do the Evil Maid attack or whatever).
99% Secure Boot was forced to a locked state by the laptop firmware through some management utils to support the enterprise configuration.
It's just happens what someone with a full administrative access on the machine ie no boot password, no UEFI password, ability to run any (secure boot enabled) OS - can run firmware updates and one such update for whatever reason - reset the ability to change Secure Boot.
Or maybe author wasn't attentive enough and missed something, who knows.
If the company fully managed the previous windows install, they'd have control on the upgrades to the BIOS as well and could just block them. These restrictions disappear with standard windows install.