• 1 Post
  • 6 Comments
Joined 2 years ago
cake
Cake day: June 12th, 2023

help-circle
  • The simplified way of how Secure Boot works is you have a bunch of public keys stored in the UEFI, and you can sign .efi executables with the private key. If the signature of an executable is invalid or the file has been tampered with, UEFI refuses to run it.

    Now, every computer sold nowadays comes with Microsoft’s keys pre-installed, one for Windows and one for stuff that Microsoft deems worthy of signing.

    One of those things is shim, it’s signed with one of Microsoft keys and it looks for the MOK database to see what it can boot or not.

    But you don’t have to use Microsoft keys, you can make your own, put it in your UEFI and sign your stuff. That’s why UKI is useful, it’s a single EFI file you can sign. You can even sign your bootloader, like systemd-boot. The Secure Boot Arch Linux Wiki link contains information of how to do it easily with sbctl.

    TPM is completely independent of Secure Boot, it can be used with or without it.






  • A compositor is a program responsible for displaying program windows and things like the desktop on your PC. On Linux, the compositor is just a program that starts when the system starts. There are multiple desktop environments available, like Plasma or Gnome, each comes with their own compositor, you can choose which you want to use.

    Wayland is a protocol that the programs use to communicate with the compositor. Everyone decided to use Wayland, because if each compositor had their own protocol it would be silly, eg some programs would work only on Plasma or Gnome.

    It’s a replacement for a much older X11, which could no longer keep up with requirements of modern apps.

    You never hear anything about compositors on Windows or Mac because there’s only one available, you can’t choose.