I can boot into Windows through the BIOS using only the MS-signed bootloader instead of GRUB or any chain loader, and Windows itself considers Secure Boot to be enabled successfully.
I assume that’s because your motherboard still has the microsoft keys installed besides the MOK keys, and it verified the bootloader with that. thats why it accepts the ms signed bootloader. as I know not all motherboards allow removing it, and there are a few buggy ones that get hard bricked if you do that.
Yeah, they’re are. I used sbctl to enroll and manage my own keys, and I chose to include the MS ones to ensure dual booting still worked properly.
Because of that hard-bricking motherboard problem, choosing to not include the MS keys is actually more effort due it being gated behind a flag and a mountain of warnings.
I assume that’s because your motherboard still has the microsoft keys installed besides the MOK keys, and it verified the bootloader with that. thats why it accepts the ms signed bootloader. as I know not all motherboards allow removing it, and there are a few buggy ones that get hard bricked if you do that.
Yeah, they’re are. I used sbctl to enroll and manage my own keys, and I chose to include the MS ones to ensure dual booting still worked properly.
Because of that hard-bricking motherboard problem, choosing to not include the MS keys is actually more effort due it being gated behind a flag and a mountain of warnings.