Re: [RFC PATCH v2] x86/boot: add .sbat section to the bzImage

[Ard Biesheuvel]

(cc Peter and Matthew)

On Fri, 14 Jul 2023 at 00:32, Luca Boccassi <bluca@xxxxxxxxxx> wrote:
>
> On Thu, 13 Jul 2023 at 14:52, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote:
> >
> >
> > Note that by Windows-crippled, I mean x86 PCs built by OEMs who care
> > about nothing other than the Windows logo sticker. These PCs often don't
> > allow secure boot keys to be modified by the owner of the machine, or
> > secure boot to be disabled at all. This is why shim exists, not because
> > UEFI secure boot is broken by design.
>
> AFAIK that's not only against the spec but also the logo
> certification, which x86 OEMs are doing that and in which models?
> Happy to flag that and inquire.

Thanks. My Yoga C630 Snapdragon laptop definitely does not allow me to
update the keys from the UI, but it does allow me to disable secure
boot. It might work with SetVariable() directly but I've never tried.

Maybe the OEMs have gotten better at this over the years, but it is
definitely not possible for the distros to rely on being able to get
their own cert into KEK and sign their builds directly.