But secure boot is a good thing! I want my machines to verify what they're loading at boot time!

I just want to specify the root of trust.

There's mokutil to add your own key.

no, a mok is just adding an unprotected UEFI variable. It's not the same as adding your key which can say disallow running payloads signed by Microsoft key.

Is there any platform using Intel CPUs with Boot Guard where Secure Boot can't already be disabled?

On one of my systems disabling secure boot also disables other aspects of the BIOS. I forget what, maybe use of the Intel graphics on the chip? It was severe enough I spent an hour figuring out how to make secure boot work instead.

Which system?

Why would you want to disable secure boot? Personally I'd rather not have software able to modify my bootloader.

Software can still modify the bootloader. Secure Boot does not protect against that. It just will complain on the next boot .... unless the replacement bootloader has been signed with the MS signature, the BIOS manufacturer signature, the OEM signature, or a bazillion other signatures.

Even if you were to completely replace all of the signatures with your own, you are going to have to trust some of the MS/manufacturer ones (unless you replace all the manufacturer-signed firmware modules with your own).

>unless you replace all the manufacturer-signed firmware modules with your own

... of which there might not be any. Eg none of my half-dozen SB-using systems (desktops and laptops) have anything in the ESP other than the booloader and UKIs I put there, and boot with my own keys just fine.

I think this is not general enough. What would be needed is the Microsoft secure boot private key so we can just sign EFI binaries and have them work everywhere without mucking around in the bios setup.

Afaiu, this key is specific to certain generations of Intel CPUs.

I'm not sure that they can of the key is proprietary to Intel. I think this would open up those projects to litigation.

There seems to be a bit of a precedence with the AACS DVD encryption keys that got leaked (https://en.m.wikipedia.org/wiki/AACS_encryption_key_controve...), the suppression of that key. Seems to have failed, it was widely copied, and you can even find a copy of it on my link to Wikipedia.

> I'm not sure that they can of the key is proprietary to Intel. I think this would open up those projects to litigation

Depends of the legislation.

That's questionable in the US since the keys are 100% machine generated and thus not copyrightable.

In most of the EU, it's clear though, there's interobability exceptions and those keys can be shared freely.

It's just a string of characters.

So are bomb threats and false advertising.

I don't think "it's just characters" is a one-simple-trick.

you make a mathematical formula that generates the key.

Good luck with that argument!

"Your honor, I wasn't copying that movie. You see, I applied a mathematical formula to the .zip file, and it just happened to produce the movie as output. Coincidence!"

(That's not to say the key is copyrightable, it's not. I think the relevant law would be the DMCA anti-circumvention provision.)

"I didn't distribute the movie, just a file that XOR'd every byte with 255!"

Technical people tend to see the law as a technical thing, where technical arguments will win. Courts are generally unamused, since every judge has years of experience with defendants who think that they've discovered one simple trick.

Software, movies, music is just a string of bits.

Using something leaked always carries some inherent risk.

The difference is that software and music are made by authors unlike keys, that's what makes them copyrightable