Kikapcsolni sajnos nem tudod az uj firmware-t, ha nem tetszik:
The Compatibility Support Module (CSM) is a component of the UEFI firmware that provides legacy BIOS compatibility byemulating a BIOS environment, allowing legacy operating systems and some option ROMs that do not support UEFI to still be used.[43]
http://www.intel.com/content/dam/doc/reference-guide/efi-compatibility-…
x86 platformon a kovetelmeny ennyi a secure boot kikapcsolasara, vagyis a custom mode opciora:
a) It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.
b) If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system will be operating in Setup Mode with Secure Boot turned off.
b) The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults.
Azt, hogy ezeket hogy kell es lehet elerni, az viszont nincs specifikalva. Lehet akar egyedi billentyuzetkombinacio kizarolag megfeleloen idozitve.
ARM rendszereken nem lehet kikapcsolni a secure boot-ot (w8 ready kovetelmeny):
"MANDATORY: Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.
Disabling Secure MUST NOT be possible on ARM systems."
Forras:
http://download.microsoft.com/download/A/D/F/ADF5BEDE-C0FB-4CC0-A3E1-B3…
"As you can see from the above, the holder of the platform key is essentially the owner of the platform. However, simply knowing the platform key (the private part) isn’t enough because in order to change the platform you have to be able to execute binaries and the platform will only execute binaries signed by a key either in KEK or db. If you take control of your platform by installing a platform key, you need to ensure that this key (or another you control) is also added to either KEK or db so you can sign binaries with it and have them execute."
http://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/
Ha valamire lehetoseget teremtenek, ott maga a lehetoseg a terv (ide jon a szokasos mantra: nem kell felni, csak kulonleges esetekben hasznaljuk majd). Es ha lehetoseg van visszaelesre, azzal kovetkezetesen, mindig vissza is fognak elni.
Milyen kovetkezmenyekkel is jar, ha visszavonjak a kulcsot? Egy joghatassal jaro ugymenetben ez miert is lenne elfogadhato?