On Thu, Apr 7, 2022 at 2:54 AM Florian Weimer <fweimer(a)redhat.com> wrote:
* Chris Murphy:
> On Tue, Apr 5, 2022 at 9:56 AM Florian Weimer <fweimer(a)redhat.com> wrote:
>>
>> * Peter Robinson:
>>
>> > This is out of context here because you can disable Secure Boot but
>> > still use UEFI to make that work. You're trying to link to different
>> > problems together.
>>
>> I think there's firmware out there which enables Secure Boot
>> unconditionally in UEFI mode, but still has CSM support.
>
> The UEFI spec makes CSM and Secure Boot mutually exclusive. CSM
> enabled renders Secure Boot impossible. So I'm not sure how the
> firmware can simultaneously enforce Secure Boot, but then permit the
> loading of non-compliant bootloaders.
I meant that without CSM, Secure Boot is always enabled. I don't know
if Fedora UEFI installations work on such systems when CSM is enabled.
CSM enabled systems get a BIOS GRUB installation just as if it was a
system without UEFI. The system gets an MBR, GRUB boot code in MBR,
GRUB stage 2 in the MBR gap, etc.
--
Chris Murphy