Skip to main content


Items tagged with: secureBoot

TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is… but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security

I am about to install @Arch Linux on a new laptop. This time I am attempting to look into the #secureBoot properly. Trying to boot #archBoot or manually adding #preloader into the install media fails with secure boot violation error. I understand I should enroll loader hashes into the mok list in the nvram. I can't use EFI shell, hashtool.efi, keytool.efi and similar since at that stage of the boot process there's no accessibility support and I can't handle that on my own with OCR snapshots of the laptop screen. Am I missunderstanding the secure boot concept or is that yet another thing I can't overcome no matter how much I am trying to prepare for the task? Of course windows is booting and I do have a screen reader running. But I can't find windows tools capable of manipulating EFI variables. #secureBoot #fail #Accessibility