On Mon, Jul 27, 2020 at 01:57:02PM -0400, D. Hugh Redelmeier via talk wrote:
Microsoft requires PC hardware to be shipped with Secure Boot enabled. I think that they also require that it be possible to disable it (but only manually, not by program).
Secure boot requires that there be a cryptographically authenticated unbroken chain of things that lead to loading the OS. Authentication of things loaded by the UEFI amounts to being signed by a key for which the firmware knows the public key.
The only public key most UEFI firmware knows is controlled by Microsoft. Red Hat has arranged for Microsoft to sign a loader that will then load other things: shim.efi. Red Hat made this available to any other Linux Distro, I think.
Some other Linux systems have adopted this. For example, UBUNTU and SuSE. I don't know if your distro has.
Suggestion: disable secure boot and continue your experiments. I know you said that you cannot find the setting, but it must be there somewhere in the firmware setup screen.
Odd: googling seems to suggest that the only way to turn off SB on Asus boards is to delete the PK key. If you are going to do this, please save the key first in case you need to restore it.
Thanks! That is an admirably clear description of Secure Boot, which makes it seem like, well, like not a crazy idea. Yes, I'm pretty sure Secure Boot is the culprit. Googling tells me that I can only disable it on the Asus Prime X570-Pro motherboard by deleting the keys listed under "Key Management" (or at least the PK key), which I was hesitant to try -- it seemed like a one-way street -- but I'll save the key in several places just in case. I guess Arch Linux doesn't have any arrangment with Microsoft. -- Peter King peter.king@utoronto.ca Department of Philosophy 170 St. George Street #521 The University of Toronto (416)-946-3170 ofc Toronto, ON M5R 2M8 CANADA http://individual.utoronto.ca/pking/ ========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42