> Yes, because the same way you have to enable booting from an USB stick.
NO. It's not the same way. On most if not all devices I can boot from a USB stick literally from the Windows settings panel itself (search for Advanced Startup)! No need to even see how the system firmware looks like. Even on hardware as "locked down" as x86 MS tablets, I can hold Volume Down key during boot to boot from a USB stick. Again, enabled by default , and no need to even look at the system firmware !
From that point on, _if the UEFI CA signature is installed_, the distro's setup experience takes over, which is already under the control of the distro itself.
> Making a fresh install of Windows is equal in complexity, but it is preinstalled more often certainly.
"Equal in complexity" to what ? Most distros and even Windows install can be done with your eyes closed and hitting the enter key repeatedly, specially if you are just overwriting whatever was on the computer before. Installing OSes are typically designed to be as easy as possible. We've had decades of improvements here, both for Windows and non-Windows.
Changing settings and disabling secure boot on the system firmware is NOT designed to be as easy as possible. In fact, many times it is explicitly designed to be as scary as possible, precisely for security reasons! (with the intentional addition of Scary Boot Prompts). But worst of it, this part of the experience is NOT controlled by the OS vendor ! That by itself is already suficient to have a completely unfair situation. No matter how much effort you spend on making your OS install flow as smooth as possible, your user still has to fight the system firmware... but only if you're a non-MS OS!
> That's not a case with Secure Boot alone, it's a case with Device Guard. Device Guard you can disable. It's a toggle like all the rest, no promises broken.
The promise is that there would not need to be a toggle to switch. That's what's been broken!
So what do you want exactly? For hardware to ship with signatures for every known variant of Linux, BSD, QNX, RedoxOS, Solaris, and OS/2 Warp? I'm honestly asking: what is the alternative you're proposing?
If you're just saying "it's not easy enough", well, that's a matter of opinion.
What I am describing above is just the current method. The one which is currently implemented in most x86 UEFI hardware save for apparently this one Lenovo laptop and some other "miscarriaged" hardware.
You do not even need to imagine "what I am proposing" because I am not proposing anything whatsoever: the MS UEFI CA signs non-MS operating systems.
NO. It's not the same way. On most if not all devices I can boot from a USB stick literally from the Windows settings panel itself (search for Advanced Startup)! No need to even see how the system firmware looks like. Even on hardware as "locked down" as x86 MS tablets, I can hold Volume Down key during boot to boot from a USB stick. Again, enabled by default , and no need to even look at the system firmware !
From that point on, _if the UEFI CA signature is installed_, the distro's setup experience takes over, which is already under the control of the distro itself.
> Making a fresh install of Windows is equal in complexity, but it is preinstalled more often certainly.
"Equal in complexity" to what ? Most distros and even Windows install can be done with your eyes closed and hitting the enter key repeatedly, specially if you are just overwriting whatever was on the computer before. Installing OSes are typically designed to be as easy as possible. We've had decades of improvements here, both for Windows and non-Windows.
Changing settings and disabling secure boot on the system firmware is NOT designed to be as easy as possible. In fact, many times it is explicitly designed to be as scary as possible, precisely for security reasons! (with the intentional addition of Scary Boot Prompts). But worst of it, this part of the experience is NOT controlled by the OS vendor ! That by itself is already suficient to have a completely unfair situation. No matter how much effort you spend on making your OS install flow as smooth as possible, your user still has to fight the system firmware... but only if you're a non-MS OS!
> That's not a case with Secure Boot alone, it's a case with Device Guard. Device Guard you can disable. It's a toggle like all the rest, no promises broken.
The promise is that there would not need to be a toggle to switch. That's what's been broken!
> Yes, because what you've said is not correct.
And it is not correct because ..... ?