On Fri, Jun 5, 2020 at 12:19 PM John M. Harris Jr <johnmh(a)splentity.com> wrote:
> The *only* case where Secure Boot must be disabled for the proper
> functioning of a PC today is if you use the NVIDIA proprietary
> drivers, because nobody is helping RPM Fusion set up a mechanism to
> sign their driver and load the key into the kernel for trust.
Most of the "Secure Boot" hardware I've gotten my hands on have been early
generations, up to some produced in 2015. I've had to change the mode to
"deployment" on some HP ProDesk systems in order to get it to install Fedora,
for example. I can't speak for the most recent generations, but I remain
skeptical due to the "lockdown" functionality breaking everything.
Other times you'd need to do so are when you'd like hibernation support, any
out of tree modules such as ZFS, kexec, hot patching..
That signing kernels is non-obvious and should get better does not
mean it is good advice to tell people to disable UEFI Secure Boot. I
have used out of tree ZFS in the past with Secure Boot enabled by
signing the modules.
Please move the non zram discussion to another thread. It's respectful
to readers who come to this thread expecting to read about this