
Understanding modern UEFI-based platform boot - matt_d
https://depletionmode.com/uefi-boot.html
======
userbinator
_Important note: Secure Boot is not designed to defend against an attacker
with physical access to a machine_

Unfortunately, in practice that's what it often does, and the user is
considered an "attacker". All this complexity is scary, and threatens to turn
PCs into locked-down devices like the mobile world has done. I wonder if pre-
UEFI/pre-ME x86 systems will become more valuable sometime in the future,
because of this.

~~~
raverbashing
You can disable secure boot in the "BIOS"

I had the same worry, some 15 years ago I think it was the top of the "they're
trying to lock PCs down 100%". Today I don't worry so much

~~~
swebs
From what I hear, Apple tries _extremely_ hard to block Linux from booting on
new Macbook models. Disabling "secure boot" isn't enough.

~~~
derefr
I find it strange that they bother, since in the end you can always just run a
fullscreen Linux VM and hand it over 99% of the computer’s resources.

Maybe Apple’s true worry might be revealed by considering the difference
between what they allow and what they prevent. Apple _allow_ you to have a
wholly-Linux UX on an Apple laptop; but they don’t _allow_ Linux developers to
run a Linux kernel directly on Apple hardware.

Maybe what they’re really concerned about is Linux having an easy testbed for
developing MacBook hardware/peripheral drivers, such as for the T2, such that
people could build apps in other OSes that take advantage of the touchbar, and
thus in some way “commoditize” one of the costlier USPs of macOS?

~~~
umanwizard
They actually don't prevent you from running a Linux kernel on their hardware,
though.

------
djsumdog
I really wish efibootmgr did validation to ensure the EFI entries were correct
and pointing to valid executables. I've seen a lot of devices where the
firmware won't even list entries if it can't find the actually file it should
load. Dell firmware is some of the best because it lets you edit EFI vars
right in the setup screen, and even search for and add boot entries.

------
kashyapc
Speaking of UEFI ... if anyone wants to try Secure Boot with OVMF—the open
source implementation of UEFI for virtual machines—in a Linux-based
environment, here's a stupid shell script (usual caveat, please inspect it
before you run :-)) that I sometimes use for testing.

It installs a minimal ( _@core_ -only in 'kickstart' parlance) Fedora with
Secure Boot, which you can verify by ` _dmesg | grep Secure_ ` once the guest
boots.

I wrote this script on a Fedora 29 host, with KVM (the Kernel-based Virtual
Machine), libvirt, QEMU and OVMF / EDK2 packages.

[1] [https://kashyapc.fedorapeople.org/Create-a-SecureBoot-
enable...](https://kashyapc.fedorapeople.org/Create-a-SecureBoot-enabled-
VM.bash)

