| 24 Jan 2022 |
 colemickens | I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) | 22:35:50 |
 Zhaofeng Li | In reply to @colemickens:matrix.org
I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades | 22:37:37 |
| Zhaofeng Li | In reply to @colemickens:matrix.org
I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) * Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades in my case | 22:37:44 |
| Zhaofeng Li | And it's not just user enrolled keys, you are enrolling the PK and transitioning Secure Boot to User mode | 22:38:46 |
| Zhaofeng Li | BIOSes usually have an option to use the "default" setup which would enroll the Microsoft PK | 22:39:21 |
| colemickens | Actually, it does have a "Reset to Setup Mode" that will clear the platform key and let me enroll one. | 22:39:58 |
| colemickens | But :/ also I dual-boot Windows. idk if one can enroll multiple platform keys | 22:40:12 |
| Zhaofeng Li | Yeah, that's what you want to use | 22:40:16 |
| Zhaofeng Li | You can still dual-boot Windows, just allow Microsoft's certificates in your db | 22:41:29 |
| Zhaofeng Li | Found it: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Dual_booting_with_other_operating_systems | 22:42:16 |
| colemickens | Hrmph, now I feel like I wasted my time with the shim, but this would require figuring out signing :s | 22:42:19 |
| Zhaofeng Li | It's actually pretty simple after you generate all the keys and enroll them in your BIOS | 22:43:13 |
| Zhaofeng Li | Everything else can be done from the OS | 22:43:30 |
| colemickens | I just assume people are signing outside the store or doing some sandboxing trick to get to the private key or something. I've always avoided that, but maybe it's not a huge deal. | 22:44:10 |
| Zhaofeng Li | In reply to @zhaofeng:zhaofeng.li
You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot The module here automatically creates a unified kernel image (kernel + initrd) for each generation and signs them | 22:45:10 |
| Zhaofeng Li | And the end-user experience is seamless | 22:45:23 |
