• orclev@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    7 hours ago

    The way it should work is that during the OS install the OS can ask to have a cert added to the keystore at which point UEFI pops up a screen that says something like:

    An application has requested to add a new certificate to secure boot which will allow new software to run at boot up. This usually happens when installing or updating an OS. If you would like to allow this press and hold <5 randomly selected letters> on the keyboard for 5 seconds. If you don’t want to allow this press and hold escape for 3 seconds.

    This would at least be a vendor agnostic way of enrolling certificates instead of the MS certificate just always being pre-installed. It should also of course be publicly documented exactly how the process works so everyone can use it.

    • exu@feditown.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 hours ago

      Universal Blue distros do that. For some reason you need to enter a password though.

    • addie@feddit.uk
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 hours ago

      Problem being, of course, that you can add more certificates, but you can’t revoke the original M$ one. And since it’s vulnerable and you can’t get rid, then these exploits still work and there’s nothing you can do to stop it.

      • Default Username@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        5 hours ago

        Computers shouldn’t come with Microsoft keys preinstalled to begin with (or an operating system for that matter). Microsoft being able to have Windows preinstalled on the vast majority of non-Apple PCs is how they gained their monopoly in the first place.

      • orclev@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 hours ago

        You should be able to remove any or all the certs as well, although I could see an argument for requiring you to enter the BIOS to do that.