Obsidian is really good. Very feature-rich and customizable.

I personally prefer Joplin for a couple of reasons. It’s fully open source and while it has less features and customizability, I also feel it keeps out of my way more to allow me to focus purely on taking notes and not messing around with other features. Obsidian encourages me to play with its extra features more, which for my case usually just reduces the productivity of my note-taking.

Probably just a me-thing. I tend to gravitate to more straightforward and minimalist solutions generally.

Microsoft doesn’t own the standard. It’s actually an open standard maintained and contributed to by a whole host of technology companies. This is contrary to the old BIOS method which was originally proprietary to IBM.

The fact they have such wide authority in signing is a product of how wide-reaching their market share it. They essentially mandate that OEMs include their signing keys in the signature database if their systems are to ship with Windows, thus making them a de facto authority on what gets signed. This was a point that made a lot of people in the FOSS community uncomfortable and still does to this day, although if one wants they can actually take full control of the Secure Boot process by replacing the Platform Key (PK) with their own. This gives ultimate control to the owner of the machine as they can then replace the Key Exchange Keys to allow them to replace Microsoft’s keys within the signature database (db). This completely removes reliance on any third party signatures and enables ditching the first-stage Shim bootloader from the boot flow entirely, since the owner could just sign whichever bootloader they wanted to use directly with their own key in the database. As it would require manually signing everything from the bootloader to the kernel and its modules though, including re-signing them after updates, this is definitely a much more involved way of doing things although arguably even more secure as the system would be entirely locked down to only binaries signed by its owner at that point.

As to why they don’t sign GRUB, it’s about licensing. Since GRUB is GPLv3, there are provisions in the license that Microsoft interprets as potentially mandating them to disclose their private key to facilitate users installing modified versions of it. Ubuntu came to the same conclusion when contemplating how to deal with Secure Boot back in the day, where they wanted to provide an alternative to the Microsoft keys by having Canonical’s keys also shipped with firmware, although proliferation of their keys is a lot less widespread and in some peoples’ eyes not all that much different than just using VeriSign’s service for the Microsoft keys anyway.

Booting the kernel directly via EFIStub from the firmware is certainly an interesting idea, although it sounds like a potential pain to manage updates. Will definitely take a look down that rabbit hole though. =)

Good question! There’s a few reasons, I guess:

• There’s a large element of “because I can” to this, just to explore how stupid the scope of systemd is as a suite.
• There’s a small practical element. GRUB itself is quite a hefty tool to accommodate all kinds of boot setups, and it works well. If you have a simple boot setup though you could probably shave a couple of seconds off of the boot time just by using the simplified sd-boot and loading the kernel via its EFIStub.
• A learning exercise in self-signing EFI binaries, enrolling a MOK (if I use Shim), and setting up scripts to handle updates.

All boils down to my enjoyment of doing weird nerdy things though, ultimately. =)

Turned out, this model was hard coded to only allow a boot entry named “Windows Boot Manager” to be loaded by default.

Holy moly that’s absolutely shocking. Yeah I didn’t quite realize how scuffed various UEFI implementations were until I encountered this issue and started looking around. Wild.

Debian. I always come back to Debian.

It’s just a rock solid, multipurpose distro that has everything. If you have an issue with some older software versions, you can just track testing or sid and treat it as rolling release or use flatpaks for GUI apps.

To me, Debian is almost perfect.