It must notify users during the installation. Rocky just lost 1000 users (just 0.1% of users issue adverse effects, so it was me). It is a huge mistake programmers usually do.
No, Rocky just lost one user. Most people who attempt Linux are willing to learn and such comments are just from a typical Windows user. I had a distro installed that worked with secureboot but failed to boot when nvidia drivers were later installed. So I just disabled secureboot and all worked fine. This was Linux Mint though.
If you are unwilling to learn or even go into a bios setting to disable secureboot which would have gotten you booted into Rocky within seconds, then just go back to Windows. Good luck with Fedora. Maybe you will complain on their forum when something breaks and doesn’t tell you why it doesn’t work.
No system is going to inform you that it won’t work without secureboot being enabled or disabled first. Not even Fedora, not even Windows.
I don’t know what your problem is, But there are millions of people that are really happy that Gregory Kurtzer and his small team have built Rocky Linux. We don’t care about TPM support and it will come eventually. He and his developers are doing this out of there pockets for now. They have worked really hard to make it a reality after RedHat dumped CentOS on us, and they have done an amazing job. So please go away and write your little articles.
I’m confused: how could the installer of RL boot when Secure Boot is enabled? Doesn’t that require that the bootloader and kernel on install media are appropriately signed?
(Then again, installer of CentOS Linux adds key of CentOS into UEFI, yet it too can boot before that has happened??)
There’s no way to send a message when from the boot loader when Secure Boot is installed if it isn’t yet signed by Microsoft. The request is impossible.
The situation is unfortunate. Denis doesn’t know how to configure advanced settings on his computer - a state all of us were in at one time - maybe he can learn from here? Microsoft hasn’t yet signed the secure boot shim - something that there’s not much to be done about yet - they do it when they do it. In a sense Denis is right - RockyLinux isn’t yet ready for people like him and won’t be till Microsoft signs.
In future, the shim will be signed, Rocky will work on PCs with Secure Boot and hopefully Denis will learn about it and, having learned from the Fedora community, come back and make valuable contributions to this community too. Everyone will be happy and unicorns and stuff. In the meantime, let’s all be very slightly, but not too much, sad and maybe remind Microsoft we’d like them to sign the shim.
It’s slightly worrying that Microsoft are in control of this. What if they refuse to sign it, or could they revoke the keys at a later date and prevent thousands of servers from rebooting?
My thoughts exactly @gerry666uk I wasn’t aware that Microsoft are the only ones signing it, should have been a third party. Especially considering how Microsoft was once very anti-Linux.
This is an inevitable consequence of people buying machines that are primarily licensed for Windows. Despite my official support advice it’s worth recognise that Microsoft and the world around it have changed. They now provide more Linux cloud servers than Windows.
Never heard about that… when did Microsoft get that power? And, more importantly, how did it happen/was allowed.
What I mean is I have an Intel NUC running VMware, I create a virtual machine and try to install Rocky Linux, it fails until I disable Secure Boot in the virtual machine BIOS.
Where does Microsoft come into any of that process such that they have such overriding power?
I mean I believe what you’re saying, I just think it is terrible that Microsoft has such power if what you say is correct.
Microsoft own the private key that signs the bootable object, and the public key is built into the firmware. Why Microsoft? Because, originally, they forced manufacturers to support it before they could get “Windows ready” stamp of approval and be able to use Microsoft marketing dollars.
If you look at the Rocky Linux 8.5 release notes you will be glad to find out that secure boot is now supported since the Rocky Linux shim has now been signed by Microsoft. @denisp your problem should now be solved, would you be willing to try again and see if it now works please?
@FromOZ Microsoft primarily gets that power because the manufacturers of hardware choose to give it to them. Whichever keys get included in the BIOS of a motherboard are the ones that then work and currently that’s only Microsoft’s key on most things people buy. This remains a problem for systems like FreeBSD. At the heart of this, though, is the choice people make to buy Microsoft Windows hardware when they want to run Linux.
I think it’s fair to say, though, that Microsoft is actually providing pretty good service here. The whole aim is to prevent crackers from breaking things, so they can’t just instantly hand out keys to anyone. That we’ve already got everything working despite being such a new distribution is pretty reasonable.
Much more worrying is new hardware which comes with closed device drivers and/or binary blobs. At any point there might be a critical security vulnerability which those companies aren’t willing to fix. A case in point being today’s BIOS vulnerabilities which nobody will know how to fix if their motherboard is no longer being supported.
Key lesson: If you buy new hardware, buy only hardware which has explicit Linux support and open source drivers. The list above will be a good start.
Fedora and Windows works well, so they don’t have to. Whatever wrong happen with the system, lack of information leads to switch to the different working system. And nobody is willing to read hundreds of pages some of technical stuff which programmers decided user needs to aware of.
Can we just notify users during the install about secure boot issue? How on earth everybody knows what is the problem?
P.S. Sorry guys, but I truly believe Rocky could be better.
