Comment by ghighi7878
8 hours ago
Its a simple solution in law to enable. Force manufacturers to allow owners of computer to put any signing key in the BIOS.
We need this law. Once we have this law, consumers csn get maximum benefit of secure boot withiut losing contorl
But that's how it already works.
If you install Windows first, Microsoft takes control (but it graciously allows Linux distros to use their key). If you install Linux first, you take control.
It's perfectly possible for you to maintain your own fully-secure trust chain, including a TPM setup which E.G. lets you keep a 4-digit pin while keeping your system secure against brute force attacks. You can't do that with the 1990s "encryption is all you need" style of system security.
It's funny, but I just encountered this for the first time the other day - feels like I had to do a lot of digging to find out how to do this so that I could add my LUKS key to my TPM... really felt like it took some doing on the HP all-in-one that I was trying to put debian on... maybe because it was debian being debian
Most embedded processors sadly don't have a BIOS, and the signing key is permanently burned into the processor via eFUSEs.
> Its a simple solution in law to enable. Force manufacturers to allow owners of computer to put any signing key in the BIOS.
...it's already allowed. The problem is that this isn't the default, but opt in that you need quite a lot of knowledge to set up