OEM lock for desktop


I’m not super tech savvy but I do use graphene OS and I erased Windows on my LG Gram as soon as I got it and installed pop OS.

Somewhere on the graphene forum people talked about how important it is to do the equivalent of OEM lock for desktop. (I can’t find that post anymore.) So how do I do that?


Are you talking about secure boot? You might be able to find info about how to enable this on this arch wiki page: Unified Extensible Firmware Interface/Secure Boot - ArchWiki or searching for info online for popos specifically would be useful.

If you’re talking about using tpm with secure boot maybe check out this page: Configuring Secure Boot + TPM 2 Tevora

1 Like

Thank you so much for the info! But sadly I have no clue which one I need (let alone what the are… Lol).

I just want my laptop to be secure, that’s all :woman_shrugging::woman_shrugging:

I believe they were probably referring to Secure Boot or some combination of secure boot and other features like a bios password and possibly something TPM related, but i’m not 100% sure about that.

Unfortunately I don’t believe your current distro (Pop!_OS) supports secure boot yet. They are one of the last mainstream distros to support it, most major distros have supported secure boot for some time (including the distro Pop!_OS is built from, Ubuntu). I believe that Pop! has announced plans to support Secure Boot sometime in the future, but I’m sure this will be a lower priority until after the release of Cosmic. edit: I believe there are instructions and tutorials online if you would like to enable secure boot manually yourself with Pop!_OS. The Arch Wiki also has good info.


Thank you! I will search for secure boot online.

BTW, what’s cosmic and why is it so important.

Cosmic is the Desktop Environment that System76 / Pop_OS is developing, it is not released yet. It is their main development focus right now I think. After it is complete Wayland support will come and hopefully somewhere down the line Secure Boot as well, at that point its security will come close to matching Ubuntu’s and probably have a few advantages of its own.

1 Like

That second link is quite old.

There’s a systemd component called systemd-cryptenroll that can do this mentioned here: Guide to using LUKS with TPM? - #3 by dngray

There isn’t a lot of benefit, and I’d honestly wait until systemd-measure and ukify are mainstream in your distribution.

We have some discussion about Wayland mentioned here. COSMIC will support Wayland whereas their current setup doesn’t use this by default.


what about not using LUKS with TPM, but simply using TPM in order to perform secure boot?

There isn’t really a whole lot of point in doing that is there.

TPM is designed to protect against AEM (Evil Maid), if they can just read all the other files on your disk and modify whatever isn’t signed it’s not really all that helpful.