On Fri, Jul 10, 2020 at 07:18:06AM -0400, Neal Gompa wrote:
I don't know this for sure, but from what I've heard, that
last point
(user management of keys) is no longer a requirement, as is being able
to disable Secure Boot. Some of my friends have reported getting
laptops from some big vendors without the ability to do either in the
last couple of years.
The System.Fundamentals.Firmware.UEFISecureBoot section of the current
WHCP v2004 documentation [1] states that:
"For devices that are designed to always boot with a specific secure
boot configuration, the two requirements ... to support Custom Mode
and the ability to disable Secure Boot are optional."
(Custom mode: "It shall be possible for a physically present user... to
modify the contents of the secure boot signature databases and the PK...")
(Enable/Disable: "A physically presnet user must be allowed to disable
secure boot via firmware setup... programmatic disabling of secure boot
during boot services or after exiting boot services MUST NOT be
possible")
Note that "specific secure boot configuration" and "locked down
platforms" are not defined in this document, but appears to only apply
to ARM-based platforms]
Additionally, in System.Fundamentals.Firmware.UEFICompatibility
"All Windows systems must boot in UEFI mode by default. Other
requirements may add additional sections of compatibility to this list,
but this is the baseline."
"All systems, except servers, must be certified in UEFI mode without
activating CSM. If a system is available with 32bit and/or 64bit UEFI,
both configurations must be tested for certification."
And in System.Fundamentals.Firmware.UEFILegacyFallback:
"If the system ships with a UEFI-compatible OS, system firmware must be
implemented as UEFI and it must be able to achieve UEFI boot mode by
default. Such a system may also support fallback to legacy BIOS boot on
systems with OS which do not support UEFI, but only if the user selects
that option in a pre-boot firmware user interface. Legacy option ROMs
also may not be loaded by default."
"An OEM may not ship a 64-bit system which defaults to legacy BIOS ...
if that systems ships with a UEFI-compatible OS"
The language about servers is a bit muddled but it seems to say that if
you're going to ship a 64-bit Windows install it needs to default to,
and be certified with, CSM-less UEFI booting. Secure boot is not a
requirement for servers.
[1]
https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/wh...
- Solomon
--
Solomon Peachy pizza at shaftnet dot org (email&xmpp)
@pizza:shaftnet dot org (matrix)
High Springs, FL speachy (freenode)