Comment by kbolino
You can enroll your own certificates as long as you have unlocked firmware. However, in order for vendor ISOs to boot without modification, they need to be signed by some trusted root beyond your control.
You can enroll your own certificates as long as you have unlocked firmware. However, in order for vendor ISOs to boot without modification, they need to be signed by some trusted root beyond your control.
I'm not sure what's being complained about here. Most PCs (still) come with Windows, so "first use" will have occurred before you obtained the computer. A motherboard bought separately usually comes unlocked so you can remove the Microsoft certificate if you don't want to trust it anymore. If you're saying that unlocked parts bought individually should not come with any certificates trusted out of the box, I don't necessarily disagree, but this would be a regression in security and convenience for the average user, so it's unlikely to be adopted.
Or just show a prompt whether you try the first time you try to boot something with a signature that is not recognized, like what a million slightly-less-consumer-hostile appliances out there do. This _adds_ convenience to the user, and it is hardly a regression in security.
If there is no pre-existing trusted root, the certificate presented is meaningless to laypeople. There's no way for the average person to know whether to press yes or no to it, as they're not about to check the SHA256 fingerprint against some obscure web page they have to access from another device. Nobody gets official media anymore; everything is burned, flashed, or second hand. Self-signed is no better than unsigned if you don't know how or don't bother to check.
Just to be clear, I'm not saying you shouldn't be able to boot something you trust on a device you own, just that it's completely reasonable to have Microsoft's certificate preloaded.
Not really? The entire use model could be "just show a prompt on first use" which literally MS is trying to kill, because oh it just so happens the status quo basically benefits them and nobody else.