Comment by mystifyingpoi
9 hours ago
But what happened doesn't make sense even. Why would upgrading the BIOS suddenly restore the option to toggle Secure Boot? If the previous owner (assuming, some company) disabled this, why would it be so trivial (comparatively) to work around it?
I've seen laptops stuck in weird state. Most likely, Fujitsu didn't bother to test turning off secure boot once they received the BIOS they bought, and fixed the toggle in a firmware update.
Linux boots fine using standard secure boot, so if it refused it's either NixOS using an unsigned bootloader (which is surprising to me) or secure boot just being bugged to hell.
Another option is that NixOS uses secure boot but uses a signature that's too recent: one of the secure boot CAs is expiring soon, and an old BIOS may not carry the new key if NixOS opts to sign their bootloader with the latest key. This issue doesn't just affect Linux, certain Windows images won't boot on older devices either if this mismatch happens.
My bet is on NVRAM getting into a weird state or a buggy BIOS. That's the most obvious thing that would get fixed by updating the BIOS.
If the company fully managed the previous windows install, they'd have control on the upgrades to the BIOS as well and could just block them. These restrictions disappear with standard windows install.