On Tue, Apr 5, 2022 at 4:28 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > On Tue, Apr 5, 2022 at 9:56 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > > > * Peter Robinson: > > > > > This is out of context here because you can disable Secure Boot but > > > still use UEFI to make that work. You're trying to link to different > > > problems together. > > > > I think there's firmware out there which enables Secure Boot > > unconditionally in UEFI mode, but still has CSM support. > > The UEFI spec makes CSM and Secure Boot mutually exclusive. CSM > enabled renders Secure Boot impossible. So I'm not sure how the > firmware can simultaneously enforce Secure Boot, but then permit the > loading of non-compliant bootloaders. That'd seem to be a Secure Boot > break worthy of a firmware update. In particular if it's also possible > to invoke CSM boot via NVRAM variables. > Many boards offered this capability, even though it violates the standard. It's one of the reasons why Intel demanded PC makers stop supporting CSM at all. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
