eBuzz Central video (from #1) – references
at 1:48
The video author does not show the site’s header but I have identified it as being this one, from ghacks.net
https://www.ghacks.net/2022/08/13/rufus-microsoft-is-blocking-windows-iso-downloads/
… and as you can see, it was written 13 August, updated 14 August.
I have no issue with that, but the dates are worth noting.
At 2:48
The video author again, here, does not show the site’s header but I have identified it as being this one, from Bleeping Computer
https://www.bleepingcomputer.com/ne...tloaders-enabling-windows-secure-boot-bypass/
Again, I have no issue with that, but the dates are worth noting.
At 4:10
For the third time, the video author does not show the site’s header but I have identified it as being this one, from Kitguru.net
https://www.kitguru.net/components/...-chips-with-microsoft-pluton-wont-boot-linux/
This one, however, is one that concerns me, in that it is no longer current or accurate. I’ll tell you why.
The second paragraph states
Matthew Garret (via Phoronix), a Linux security specialist, wanted to analyse the implementation of the Microsoft Pluton on the Ryzen Pro 6860Z Zen3+ processor. Ultimately, this didn't go very well, as he couldn't get a Linux install to complete.
I clicked the link on Phoronix and it takes you to the source article at
https://www.phoronix.com/news/Lenovo-Pluton-Windows-Default
Written on 8 July by Michael Larabel, of Phoronix, I have no issue with the content as it is referenced by the author of the video.
BUT (and Wizard’s butt is usually not far behind)
Towards the bottom, and at the bottom are two (2) important updates, which the video author does not reference, and he may not have seen them, but should before he published.
Update 1 has, from AMD itself
Update (11 July): AMD has reached out with their comment on the matter:
AMD supports Ryzen PRO 6000 processors with Linux, including partnering with select Linux distribution vendors on certifications for OEM products. The pluton security co-processor built into our Ryzen 6000 processors does not prohibit platforms from running Linux. Some OEM systems initially shipped with Windows may need to reconfigure their systems to boot Linux. To enable booting Linux on a platform that was shipped with Windows, a user can either:
1. Enable the Microsoft 3rd Party UEFI CA in the UEFI secure boot database.
2. Disable UEFI secure boot
Some OEMs have provided guidance for their specific platforms. A document from Lenovo is posted here.
Update 2 has
Update (11 July): AMD has reached out with their comment on the matter:
AMD supports Ryzen PRO 6000 processors with Linux, including partnering with select Linux distribution vendors on certifications for OEM products. The pluton security co-processor built into our Ryzen 6000 processors does not prohibit platforms from running Linux. Some OEM systems initially shipped with Windows may need to reconfigure their systems to boot Linux. To enable booting Linux on a platform that was shipped with Windows, a user can either:
1. Enable the Microsoft 3rd Party UEFI CA in the UEFI secure boot database.
2. Disable UEFI secure boot
Some OEMs have provided guidance for their specific platforms. A document from Lenovo is posted
here.
If you click the last, linked word, above you will be taken here
https://www.phoronix.com/review/rembrandt-linux-boot
where on 15 July, a week after the original article that the video author refers to, Michael Larabel says, in part
Indeed when it came to trying to boot an Ubuntu 22.04 LTS live image on the ThinkPad X13 Gen3, it failed. From the boot menu selection screen selecting the USB drive with the official Ubuntu 22.04 LTS, it failed and simply returned to the boot menu screen without any messages. This is a bad user experience and doesn't inform the user about the 3rd party certificate being disabled or any other messaging around the problem - it just fails.
But further on, he says
But fortunately from the Lenovo BIOS the 3rd party UEFI CA can be easily enabled. Simply hit enter at boot to interrupt the boot process, hit F1 to enter the BIOS, and from the security page is a "Allow Microsoft 3rd Party UEFI CA". Or there is also the ability to disable UEFI Secure Boot in its entirety.
And
This is the part that wasn't made clear in Garrett's blog post -- the 3rd party certificate can be easily enabled. But I do agree with his assessment that it's a stupid mandate to now have to disable this certificate by default and doesn't seem to be based on firm security reasons. Particularly around the lack of messaging over this change in default behavior it leads to a poor user experience and customers may just assume Linux is having technical troubles in booting on new laptops or other troubles.
And particularly reassuring is
Once enabling the third party certificate, the Ubuntu 22.04 LTS image booted up fine on the ThinkPad X13 Gen3 laptop. With the third party certificate enabled, the Microsoft Windows installation still booted up fine as well.
You can read the rest for yourselves.
On Matthew Garrett
Matthew is a former Redhat programmer. He is the author of shim and shim-signed, which allow Linux Distros to present a face to Microsoft as being certified (key) binaries that allow Linux to be installed on a computer than runs Microsoft's Secure boot.
Matthew is also Linus Torvald's first lieutenant, and he and Linus sign off on all changes to the Linux kernel.
On Michael Larabel
Michael (at the age of about 17, I think) set up phoronix.com to benchmark and review hardwarfe that could run Linux. That was in 2004. By 2008, he had developed and released Phoronix Test Suite, which is cross-platform (Linux and Windows) and allows the user to benchmark his or her computer equipment likewise.
Wizard