[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-devel-list
Subject: Re: future of dual booting Windows and Fedora, redux
From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= <berrange () redhat ! com>
Date: 2022-07-29 9:55:07
Message-ID: YuOue9dnVNuoiZjo () redhat ! com
[Download RAW message or body]
On Thu, Jul 28, 2022 at 07:47:15PM +0200, Vitaly Zaitsev via devel wrote:
> On 26/07/2022 20:05, Chris Murphy wrote:
> > Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) out \
> > of the box with the encryption key sealed in the TPM. Two different issues \
> > result:
>
> Microsoft has published a new security bulletin on the current state of
> Secure Boot:
> https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process
>
> The most important note:
>
> > Secured-core PCs require Secure Boot to be enabled and configured to distrust the \
> > Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the \
> > most secure configuration of their PCs possible.
>
> TL;DR. The new certified by Microsoft devices will be able to load only
> Microsoft Windows in the UEFI Secure Boot enabled mode.
I read that as meaning there are two different certifications
* "Certified For Windows PCs" - the traditional behaviour we've known,
where the 3rd party UEFI CA is enabled by defualt
* "Secured-core PCs" - a new certification promoted as a more secure
out of the box setup, where 3rd party UEFI CA is disabled by default
This doesn't mean that everything is suddenly going to be 'Secure-cored"
and thus prevent use of shim out of the box.
This other doc gives more details
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/OEM-highly-secure-11
[quote]
Microsoft works closely with OEM partners to help ensure that all certified
Windows systems deliver a secure operating environment. Windows integrates
closely with the hardware to deliver protections that take advantage of
available hardware capabilities:
* Baseline Windows security – recommended baseline for all individual
systems that provides foundational system integrity protections.
Leverages TPM 2.0 for a hardware root of trust, secure boot and
BitLocker drive encryption.
* Virtualization-based security enabled – leverages virtualization
capabilities from hardware and the hypervisor to provide additional
protection for critical subsystems and data.
* Secured-core – recommended for the most sensitive systems and
industries like financial, healthcare, and government agencies.
Builds on the previous layers and leverages advanced processor
capabilities to provide protection from firmware attacks.
[/quote]
An open question is just how widely the OEM hardware vendors will
deploy "Secured core" hardware in practice. If they only do this
for enterprise hardware they sell with Windows pre-installed, then
it might not become a big deal, as those running Linux will typically
opt out of Windows pre-install. If they deploy 'Secured core' across
all hardware, both consumer and enterprise, and/or regardless of OS
preinstall choice, then it will become more of a pain for consumers
wanting to run Linux.
With regards,
Daniel
--
> > https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> > https://libvirt.org -o- https://fstop138.berrange.com :|
> > https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic