1. Forum
  2. USENET
  3. alt.comp.os.windows-11

  • Practicality of Secure Boot

    From Paul@nospam@needed.invalid to alt.comp.os.windows-10,alt.comp.os.windows-11 on Fri May 22 07:53:18 2026
    From Newsgroup: alt.comp.os.windows-11

    I've been playing around with Secure Boot, while working on
    the PCA2023 thing.

    The 18 page or so document, a high level description of Secure Boot,
    indicated that it "should not brick the computer", as a response
    to not finding all the signing was good or whatever. But, I got
    a taste of how it really works, the last couple days.

    I brought a disk I haven't used for a year or so, into the computer.
    I had several devices loaded. I turn on the power.

    The screen stayed black. The four white staging LEDs on the mobo ?
    Remained dark. It wouldn't even admit it had finished quick RAM test.

    It would not bring up Pop-Up Boot, and let me select the "valid device"!

    It seems it is checking all devices for UEFI materials. It is
    inspecting the materials on all the drives. If any drive was say,
    a PCA2011-related OS (when PCA2011 is revoked on this machine now), the computer won't do squat. I couldn't even get the fucking thing
    to enter the BIOS. I couldn't press <Del>, enter the BIOS, turn off
    Secure Boot. I had to disconnect all drives, then it would let me
    enter the BIOS.

    No, the machine is not bricked. I can remove the drives, all of them,
    power up, and then I can start.

    It would appear my 25H2 DVD from April 2026, is signed with PCA2011.
    Well, it has to be signed with something. Now, the machine cannot
    boot the DVD and do a clean install of Win11 while Secure Boot is
    asserted. I can turn off Secure Boot, and of course it will
    UEFI InSecure Boot just fine.

    Secure Boot is turned off now. I am NOT emptying the machine,
    fiddling with drives, changing a setting and so on, every time
    I boot something. It's about as practical as churning your own butter.

    Summary: The indications to me, is Secure Boot is only practical
    on a server in a server room, having one boot drive, running
    a single OS, not changing anything, staying the same every day.
    That oughta work.

    Disappointing, really. Not impressed. Not impressed at all as
    an engineer, that more energy was not put into this when
    "it was just a stupid idea". You shouldn't deploy something
    this basic, that is not well thought out. The more complex
    a stupid idea is, the more failure modes it has (the elevators
    at the mall! never twice the same!).

    Why is the machine not allowed to comment on what is going on?
    Is a black screen really the best you can do in the year 2026 ?
    FFS. Where is my logic analyzer and my $35K digital scope, so
    I can have an interface to this piece of shit ? Maybe I didn't
    spend enough money on the computer.

    Paul
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Valerio Vanni@valerio.vanni@inwind.it to alt.comp.os.windows-11 on Fri May 22 14:28:44 2026
    From Newsgroup: alt.comp.os.windows-11

    On Fri, 22 May 2026 07:53:18 -0400, Paul <nospam@needed.invalid>
    wrote:

    I've been playing around with Secure Boot, while working on
    the PCA2023 thing.
    I brought a disk I haven't used for a year or so, into the computer.
    I had several devices loaded. I turn on the power.

    It would appear my 25H2 DVD from April 2026, is signed with PCA2011.
    Well, it has to be signed with something. Now, the machine cannot
    boot the DVD and do a clean install of Win11 while Secure Boot is
    asserted. I can turn off Secure Boot, and of course it will
    UEFI InSecure Boot just fine.

    It's something that happens with Linux too.
    A couple of years ago, I found that new Clonezilla (base OS is Debian)
    versions disable old ones. It involves Grub signatures.

    And that case seems still worse than yours: Clonezilla is a live
    system, and usually from a live system we expect no changes.
    Bad things could happen: you have a working resident system, you boot
    once to a live and then you find resident system blacklisted.

    With new linux live, you could revert condition with "mokutil"
    utility.
    In general, you could try to reflash bios.
    --
    Ci sono 10 tipi di persone al mondo: quelle che capiscono il sistema binario
    e quelle che non lo capiscono.
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Frank Slootweg@this@ddress.is.invalid to alt.comp.os.windows-10,alt.comp.os.windows-11 on Sat May 23 11:24:52 2026
    From Newsgroup: alt.comp.os.windows-11

    Paul <nospam@needed.invalid> wrote:
    I've been playing around with Secure Boot, while working on
    the PCA2023 thing.

    The 18 page or so document, a high level description of Secure Boot, indicated that it "should not brick the computer", as a response
    to not finding all the signing was good or whatever. But, I got
    a taste of how it really works, the last couple days.

    I brought a disk I haven't used for a year or so, into the computer.
    I had several devices loaded. I turn on the power.

    The screen stayed black. The four white staging LEDs on the mobo ?
    Remained dark. It wouldn't even admit it had finished quick RAM test.

    It would not bring up Pop-Up Boot, and let me select the "valid device"!

    It seems it is checking all devices for UEFI materials. It is
    inspecting the materials on all the drives. If any drive was say,
    a PCA2011-related OS (when PCA2011 is revoked on this machine now), the computer won't do squat. I couldn't even get the fucking thing
    to enter the BIOS. I couldn't press <Del>, enter the BIOS, turn off
    Secure Boot. I had to disconnect all drives, then it would let me
    enter the BIOS.

    No, the machine is not bricked. I can remove the drives, all of them,
    power up, and then I can start.

    Did you have to remove ALL the drives, or would just removing the one
    you added have been enough?

    I ask, because on some systems - notably laptops, but not limited to
    laptops - it is not easy, or even (nearly or fully) impossible to remove
    the main 'disk'.

    I.e., do we have to be worried when we try/need to boot from a Macrium Reflect Rescue Media USB memory-stick, which probably has a
    "PCA2011-related OS"?

    [...]
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-10,alt.comp.os.windows-11 on Sat May 23 08:11:23 2026
    From Newsgroup: alt.comp.os.windows-11

    On Sat, 5/23/2026 7:24 AM, Frank Slootweg wrote:
    Paul <nospam@needed.invalid> wrote:
    I've been playing around with Secure Boot, while working on
    the PCA2023 thing.

    The 18 page or so document, a high level description of Secure Boot,
    indicated that it "should not brick the computer", as a response
    to not finding all the signing was good or whatever. But, I got
    a taste of how it really works, the last couple days.

    I brought a disk I haven't used for a year or so, into the computer.
    I had several devices loaded. I turn on the power.

    The screen stayed black. The four white staging LEDs on the mobo ?
    Remained dark. It wouldn't even admit it had finished quick RAM test.

    It would not bring up Pop-Up Boot, and let me select the "valid device"!

    It seems it is checking all devices for UEFI materials. It is
    inspecting the materials on all the drives. If any drive was say,
    a PCA2011-related OS (when PCA2011 is revoked on this machine now), the
    computer won't do squat. I couldn't even get the fucking thing
    to enter the BIOS. I couldn't press <Del>, enter the BIOS, turn off
    Secure Boot. I had to disconnect all drives, then it would let me
    enter the BIOS.

    No, the machine is not bricked. I can remove the drives, all of them,
    power up, and then I can start.

    Did you have to remove ALL the drives, or would just removing the one
    you added have been enough?

    I ask, because on some systems - notably laptops, but not limited to laptops - it is not easy, or even (nearly or fully) impossible to remove
    the main 'disk'.

    I.e., do we have to be worried when we try/need to boot from a Macrium Reflect Rescue Media USB memory-stick, which probably has a
    "PCA2011-related OS"?

    [...]


    The only trick I have, for the desktop (which I wasn't able to use),
    is to boot with a PCA2023 media, then use Hot Plug on the SATA drive
    and connect a drive which happened to have PCA2011 material in it.
    In other words, you try to use Hot Plug as a means to prevent
    the BIOS from doing too much analysis.

    When I started this test case, I was hoping the outcome would be
    that the BIOS would not sniff anything with regard to attestation,
    until the user makes a choice from the popup boot. Instead, the
    popup boot will not appear unless *all* media are compliant.
    You can be compliant by being a data-disk. You can be compliant,
    by being signed with whatever is the boss in your UEFI databases
    (PCA2023 perhaps).

    But since the BIOS is non-communicative in these failure cases
    (staging lights won't light, screen remains black), the user could
    be forgiven if they have no debug capabilities or hints as to what
    exactly is wrong at the moment.

    I don't know if "rolling over and playing dead" is a requirement
    of Secure Boot or not. At least some failures result in a PCR7 message
    on the screen (which you must capture with a video camera, as pressing
    the break key will not preserve the screen content).

    Paul

    --- Synchronet 3.21d-Linux NewsLink 1.2