История изменений

Исправление Smacker, 22.08.24 00:45 (текущая версия) :

Здесь же на лоре читал куда более обоснованный текст, что обязан.

https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/uefi-requi...

Requirement 9: MANDATORY. Physically present user override must not be permitted for UEFI images that fail signature verification.

Нельзя давать пользователю вручную разрешать загрузку неподписанных образов — ЭТО ОБЯЗАТЕЛЬНО

Requirement 10: OPTIONAL. An OEM may implement the ability for a physically present user to turn off Secure Boot either with access to the PKpriv or with Physical Presence through the firmware setup. Access to the firmware setup may be protected by platform specific means (administrator password, smart card, static configuration, etc.)

Давать пользователю отключать secure boot — ЭТО ОПЦИОНАЛЬНО

Requirement 12: OPTIONAL. An OEM may implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: «Custom» and «Standard». Custom Mode allows for more flexibility as specified in the following.

Пользовательский режим в UEFI с гибкими настройками — ОПЦИОНАЛЬНО

Requirement 13: MANDATORY if requirement 12 is implemented. It shall be possible to re-enable a disabled Secure Boot in Custom Mode by setting an owner specific PK. The administration shall proceed as defined in section 27.5 of the UEFI specification v2.3.1: Firmware/OS Key Exchange. In Custom Mode, the device owner may set their choice of signatures in the signature databases.

А свои ключи добавлять — только в случае исполнения пункта 12, который не обязательный.

Исходная версия Smacker, 22.08.24 00:40: