On Thu, Jul 28, 2022 at 07:47:15PM +0200, Vitaly Zaitsev via devel wrote: > On 26/07/2022 20:05, Chris Murphy wrote: > > Summary: Windows 10/11 increasingly enables Bitlocker (full disk encryption) out of the box with the encryption key sealed in the TPM. Two different issues result: > > Microsoft has published a new security bulletin on the current state of > Secure Boot: > https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process > > The most important note: > > > Secured-core PCs require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible. > > TL;DR. The new certified by Microsoft devices will be able to load only > Microsoft Windows in the UEFI Secure Boot enabled mode. I read that as meaning there are two different certifications * "Certified For Windows PCs" - the traditional behaviour we've known, where the 3rd party UEFI CA is enabled by defualt * "Secured-core PCs" - a new certification promoted as a more secure out of the box setup, where 3rd party UEFI CA is disabled by default This doesn't mean that everything is suddenly going to be 'Secure-cored" and thus prevent use of shim out of the box. This other doc gives more details https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/OEM-highly-secure-11 [quote] Microsoft works closely with OEM partners to help ensure that all certified Windows systems deliver a secure operating environment. Windows integrates closely with the hardware to deliver protections that take advantage of available hardware capabilities: * Baseline Windows security – recommended baseline for all individual systems that provides foundational system integrity protections. Leverages TPM 2.0 for a hardware root of trust, secure boot and BitLocker drive encryption. * Virtualization-based security enabled – leverages virtualization capabilities from hardware and the hypervisor to provide additional protection for critical subsystems and data. * Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks. [/quote] An open question is just how widely the OEM hardware vendors will deploy "Secured core" hardware in practice. If they only do this for enterprise hardware they sell with Windows pre-installed, then it might not become a big deal, as those running Linux will typically opt out of Windows pre-install. If they deploy 'Secured core' across all hardware, both consumer and enterprise, and/or regardless of OS preinstall choice, then it will become more of a pain for consumers wanting to run Linux. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
