the tpm does not add any security whatsoever for windows 11, and secure boot is being used to lock your control out of your own system. secure boot enabled with machine owner keys wouldn’t be enough either for these games
secure boot enabled with machine owner keys wouldn’t be enough either for these games
They should be able to check which signing keys were used for every part of the boot process. Unless they want to be colossal assholes and check the MOK as well, they could still verify what they need without flagging Linux Secure Boot dual-booters as cheaters.
these games only accept the secure boot setup where the root key is that of microsoft’s. that means that you either need windows with a pre-approved configuration in some regards (notable difference: any foss kernel drivers are nono because they won’t ever be signed) or a linux system for which microsoft gives a secureboot shim with whatever further restrictions.
the consequences are more obvious if you look at android as an example. It’s not called secure boot there, but android verified boot, and the turning off of it is called “bootloader unlocking”. very few phones support installing your own signing keys so you can’t take advantage of it with a bloatless android distribution. but even on phones that do, there are many apps that require a locked bootloader with the factory keys, including banking apps, nfc payment apps, government apps (including those that are required to access the online government account), entertainment apps with strict DRM, …
these games only accept the secure boot setup where the root key is that of microsoft’s.
I have a PC where I could actually test this. Custom MOK but with all the MS signatures in the database. I can boot into Windows through the BIOS using only the MS-signed bootloader instead of GRUB or any chain loader, and Windows itself considers Secure Boot to be enabled successfully.
Do you know if it would immediately reject the game from launching, or would I be flagged and banned later as some kind of ban wave?
I can boot into Windows through the BIOS using only the MS-signed bootloader instead of GRUB or any chain loader, and Windows itself considers Secure Boot to be enabled successfully.
I assume that’s because your motherboard still has the microsoft keys installed besides the MOK keys, and it verified the bootloader with that. thats why it accepts the ms signed bootloader. as I know not all motherboards allow removing it, and there are a few buggy ones that get hard bricked if you do that.
Yeah, they’re are. I used sbctl to enroll and manage my own keys, and I chose to include the MS ones to ensure dual booting still worked properly.
Because of that hard-bricking motherboard problem, choosing to not include the MS keys is actually more effort due it being gated behind a flag and a mountain of warnings.
the tpm does not add any security whatsoever for windows 11, and secure boot is being used to lock your control out of your own system. secure boot enabled with machine owner keys wouldn’t be enough either for these games
They should be able to check which signing keys were used for every part of the boot process. Unless they want to be colossal assholes and check the MOK as well, they could still verify what they need without flagging Linux Secure Boot dual-booters as cheaters.
Microsoft provides SB shims for some linux distributions, so it wouldn’t mean locking out all linux players.
Care to elaborate?
these games only accept the secure boot setup where the root key is that of microsoft’s. that means that you either need windows with a pre-approved configuration in some regards (notable difference: any foss kernel drivers are nono because they won’t ever be signed) or a linux system for which microsoft gives a secureboot shim with whatever further restrictions.
the consequences are more obvious if you look at android as an example. It’s not called secure boot there, but android verified boot, and the turning off of it is called “bootloader unlocking”. very few phones support installing your own signing keys so you can’t take advantage of it with a bloatless android distribution. but even on phones that do, there are many apps that require a locked bootloader with the factory keys, including banking apps, nfc payment apps, government apps (including those that are required to access the online government account), entertainment apps with strict DRM, …
I have a PC where I could actually test this. Custom MOK but with all the MS signatures in the database. I can boot into Windows through the BIOS using only the MS-signed bootloader instead of GRUB or any chain loader, and Windows itself considers Secure Boot to be enabled successfully.
Do you know if it would immediately reject the game from launching, or would I be flagged and banned later as some kind of ban wave?
The latter is something I would prefer to avoid.
I think there’s some linux command to query the installed keys, but here I have only found the command for listing all the installed mok keys: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
I assume that’s because your motherboard still has the microsoft keys installed besides the MOK keys, and it verified the bootloader with that. thats why it accepts the ms signed bootloader. as I know not all motherboards allow removing it, and there are a few buggy ones that get hard bricked if you do that.
Yeah, they’re are. I used sbctl to enroll and manage my own keys, and I chose to include the MS ones to ensure dual booting still worked properly.
Because of that hard-bricking motherboard problem, choosing to not include the MS keys is actually more effort due it being gated behind a flag and a mountain of warnings.