Sam Varghese <sam@gnubies.com> writes:
No. A Linux distro that can boot on a PC/laptop that has secure boot enabled would necessarily have obtained a key from Microsoft.
AIUI that is wrong. By analogy to x509 TLS, a UEFI SBK environment will trust a set list of CA certs by default. The only one that is guaranteed to be in there is Microsoft's CA cert. You can boot your own OS by getting MS to sign your cert, *OR* you create your own CA and add it to the trusted list. The latter is difficult enough to be effectively inaccessible to most users, but I think it still bears mentioning.
Matthew Garrett is good on the technical details, so is James Bottomley. I really do not know the answer to this.
That's http://mjg59.dreamwidth.org and I think http://blog.hansenpartnership.com/ Thanks, I didn't know about the latter. Of course mjg59's alone is getting me about triple my RDI of facepalms...