jabbany

To me this makes a lot of sense, and really is the reason why most things are by default insecure.

Most people who are building their own computer are not going to be an expert in UEFI and secure boot (some may have never even heard of these things). These people are almost guaranteed to need to install their own OS. So if they try, and it "doesn't work", they are going to need tech support or most likely return the motherboard as defective. Thus it makes more sense to make the default permissive.

On the other hand, someone who does want to run secure boot securely is probably an expert, so they can probably figure out how to actually turn it on and harden their setup. As long as you can lock stuff down, having these people jump through a few more hoops seems like a reasonable trade-off.

(Also FWIW, most pre-builts or integrated devices do have real secure boot enabled, since the expectation is that users of these will likely never need to install an OS that won't work with a strict secure boot enforcement policy.)

gruez

>Most people who are building their own computer are not going to be an expert in UEFI and secure boot (some may have never even heard of these things). These people are almost guaranteed to need to install their own OS. So if they try, and it "doesn't work", they are going to need tech support or most likely return the motherboard as defective. Thus it makes more sense to make the default permissive.

Not only that, a popular tool for creating windows USB installers[1] fails to boot if secureboot is enabled. I looked into it a few years ago and it was because it defaults to NTFS formatting if install.wim is greater than 4GB (because of FAT32 limitations), which is most windows ISOs. Most UEFI implementations don't support NTFS, so it installs a shim loader, which is unsigned and therefore fails to boot with secureboot enabled.

[1] https://rufus.ie/en/

scrlk

Rufus 3.17 (released Oct 2021) onwards is secure boot signed. See: https://github.com/pbatard/rufus/releases/tag/v3.17

Sakos
Huh, interesting. I know he'd been working on it for a while and wasn't getting anywhere because of Microsoft, but apparently he finally got it working. The only real issue is getting your bootloader signed by MS. There's no other way to pass Secure Boot verification.

https://github.com/pbatard/uefi-ntfs

Edit: https://old.reddit.com/r/sysadmin/comments/pl2jqg/creating_b... This is the last time I read anything about it from the Rufus dev (which was over a year ago)