* Chris Murphy:
On Thu, Apr 7, 2022 at 2:54 AM Florian Weimer
<fweimer(a)redhat.com> wrote:
>
> * Chris Murphy:
>
> > On Tue, Apr 5, 2022 at 9:56 AM Florian Weimer <fweimer(a)redhat.com> wrote:
> >>
> >> * Peter Robinson:
> >>
> >> > This is out of context here because you can disable Secure Boot but
> >> > still use UEFI to make that work. You're trying to link to
different
> >> > problems together.
> >>
> >> I think there's firmware out there which enables Secure Boot
> >> unconditionally in UEFI mode, but still has CSM support.
> >
> > The UEFI spec makes CSM and Secure Boot mutually exclusive. CSM
> > enabled renders Secure Boot impossible. So I'm not sure how the
> > firmware can simultaneously enforce Secure Boot, but then permit the
> > loading of non-compliant bootloaders.
>
> I meant that without CSM, Secure Boot is always enabled. I don't know
> if Fedora UEFI installations work on such systems when CSM is enabled.
CSM enabled systems get a BIOS GRUB installation just as if it was a
system without UEFI. The system gets an MBR, GRUB boot code in MBR,
GRUB stage 2 in the MBR gap, etc.
Okay, then Secure Boot is mandatory on these systems as far as Fedora is
concerned once Fedora removes BIOS support, just as I suspected.
Thanks,
Florian