![]() To be "Secure Boot capable" really just means that the system is booting via UEFI, not legacy BIOS/CSM. To install and run Windows 11, your machine is required to be "Secure Boot capable", and does not have to have Secure Boot enabled. There's been a lot of misinformation in press articles about the secure boot requirement. efi file be fully validated by your firmware's Secure Boot. This can get quite complicated, but nevertheless completely possible to have a Linux kernel or another. Secure Boot on x86 systems also allows you to set up your own signing keys alongside the Microsoft keys. (It's kind of a loophole, as Shim just prompts you to authorize unknown. With some tinkering, you should be able to use the Microsoft-signed Shim to boot just about anything that supports UEFI. You should still be able to use Linux distributions like Fedora or Ubuntu which have official support for it (they have Microsoft-signed bootloaders). On the other hand, the Secure Boot feature can cause some trouble. (If necessary, you can still convince Windows to store the owner password in the Registry, although obviously you can't recover the one that was thrown away, so this requires re-initializing the TPM.)Ĭurrently the only limitation is that you cannot use the high-level FAPI tools in Linux tpm2-tss, but that is really not a big loss almost everything builds on the "raw" EAPI anyway. (Some tools, such as systemd-cryptenroll, will just ignore it and generate an ECDSA root key instead.) ![]() ![]() but the fact that it immediately throws away the password just tells you that you don't need it for normal operation.įor example, the RSA "storage root key" is initialized in a standard way at 0x81000001 and can be used from any OS, including Linux. Windows initializes the TPM2 using a random "owner password" that it throws away. That said, if you want to use use the TPM from Linux, you can still do so even if it was initialized by Windows. ![]() You can dual-boot an OS even if it doesn't have any support for the TPM. The TPM is a passive component it does not get involved in the boot process on its own, unless an OS (or a bootloader) specifically tries to interact with it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |