Enterprises are in a position to modify firmware configuration during initial provisioning to set whatever secure boot policy they want. There's no need for the machines to ship with restrictive defaults.
No company with centrally managed machines is going to allow the purchase of a laptop that allows a user to boot into a Linux live USB and work on the windows registry as data.
That's odd, because every Thinkpad sold from 2012 until now has trusted the third party certificate by default and I'm pretty sure Lenovo have been selling them to businesses with centrally managed machines during that time.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
no subject
Date: 2022-07-12 10:12 pm (UTC)That's odd, because every Thinkpad sold from 2012 until now has trusted the third party certificate by default and I'm pretty sure Lenovo have been selling them to businesses with centrally managed machines during that time.