They rigged it so that the efi bios can only have one root certificate so only one organization has to sign all the keys. So you can only securely dual boot Windows and Linux if Microsoft signed both of the bootloaders.
So if you don't want to be under MS's thumb you can never use Windows and you're going to have to build your own linux because the major distros are signed by Microsoft.
Basically TPM should be making your system more secure, but in reality it's taking away control over your own computer.
OEMs sometimes have the ability to change the root certificate. I know this because at work we were looking into having a signed OS for a regulated/certified product, and we wanted it to be our root certificate instead of microsoft's.
Though it's not true of all motherboards/BIOSes that you can change the root cert. And in general I would say that the proprietary nature of BIOSes today is becoming as big an issue as the proprietary nature of operating systems 30 years ago, and we probably need to start exerting more pressure on hardware vendors to support coreboot or TianoCore or whatever other open source BIOS is popular.
The keys still must be signed by Microsoft.
They rigged it so that the efi bios can only have one root certificate so only one organization has to sign all the keys. So you can only securely dual boot Windows and Linux if Microsoft signed both of the bootloaders.
So if you don't want to be under MS's thumb you can never use Windows and you're going to have to build your own linux because the major distros are signed by Microsoft.
Basically TPM should be making your system more secure, but in reality it's taking away control over your own computer.
OEMs sometimes have the ability to change the root certificate. I know this because at work we were looking into having a signed OS for a regulated/certified product, and we wanted it to be our root certificate instead of microsoft's.
Though it's not true of all motherboards/BIOSes that you can change the root cert. And in general I would say that the proprietary nature of BIOSes today is becoming as big an issue as the proprietary nature of operating systems 30 years ago, and we probably need to start exerting more pressure on hardware vendors to support coreboot or TianoCore or whatever other open source BIOS is popular.