alt Hacker NewsYou can load your own Secure Boot keys and sign your bootloader yourself; as for why the Microsoft ones are preloaded, probably because they're the only entity that interacts with all of these OEMs and had enough leverage over them to force Secure Boot adoption in the first place.
Replies
PunchyHamster • yesterday at 8:13 PM
It should be just "hey, do you trust this install media" -> "yes" -> boot key is automatically added at this step. Instead the whole ecosystem is at microsoft whim
➕ show 1 reply
Thanks to the incredible combination of Lenovo and Nvidia, I cannot remove the Microsoft keys from my laptop. Not because Microsoft backdoored my computer, but because the Nvidia boot ROM is signed by an MS cert and that runs before you can access the UEFI setup.
I hope the firmware either doesn't check the expiry date or that the firmware itself has been upgraded, or several years worth of Thinkpad are about to stop booting in the near future.