OEMs Allowed To Lock Secure Boot In Windows 10 Computers

jones_supa writes: Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.

I dub all unswitchable hardware: disposable

That's a descriptive word I know gsm phone manufacturers work hard to distance themselves from, even more where it's more true.

I was nice of Microsoft to play along until the secure boot controversy was diffused and then stop backing openess. I'm not sure RMS would be completely surprised.

Seriously though, we have the choice, and the only thing that will maintain that freedom is that we express it with our dollars. Manufacturers are at OUR mercy, not the other way around.

If you can't get to the boot menu when you play with it in the store, don't buy it. Amazon will let you return nearly anything. This is a freedom we can defend.

Re: I dub all unswitchable hardware: disposable

It is suprising that linux ecosystems (Red Hat, Ubuntu, OS communities etc.) just sit still and let the pc-monopoly just rule them out totally. Is there no forum where we could protect us from this dictatorship?

Re: I dub all unswitchable hardware: disposable

I think one excellent advocate would be the EFF, and a nudging by all of us with our wallets in EFF's direction to support them.

No longer required

http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO#shim

It's signed w/ the Microsoft key.

Re:No longer required

[jcdr]

What prevent Microsoft to change the key in the future ?

Re: No longer required

That it won't boot on hardware with the old key?

Re:No longer required

Ok, so, secure boot is optional. Whatever.

When do I get my hands on a working Hololens???

Re:No longer required

Microsoft can revoke that specific key at any time, alas.

Re:No longer required

[sexconker]

They can revoke it all they want, but they can't get devices to accept the revocation without an update mechanism. If an update mechanism is in place for any particular device, it can be used by the end user just as it can be by MS, once any obscurity is peeled away. Of course, any such update mechanism isn't going to function for shit if you've replaced Windows 10 with Linux unless you've a got a full, independent stack backed into the EFI capable of going over the internets, fetching a revocation list, and updating itself without any user interaction.

Re: No longer required

[jcdr]

Yes. Microsoft could release a special version of his OS for 'lock in' machines with a new key that only boot on secure BIOS from this machines. This will make this machines unable to run any previous OS, including Linux. Or did I miss something ?

Re:No longer required

Ok, so, secure boot is optional. Whatever.

What if OEMs that use it get 5% (or whatever other amount) of discount on the Windows license fee, or some other advantage ?

Re: No longer required

[bulled]

They said that secuire boot cannot be disabled, not that the keys are locked. A platform key is updatable as long as the new key is signed with the old without disabling secure boot. So you would still need Microsoft to sign your new PK.

That said, this is a very appropriate time for everyone that predicted this is what MS had in mind when they first announced the Secure Boot standard so say "I told you so" to the MS apologists that denied it.

Re:No longer required

If they want to immediately see a class action lawsuit for anti-competitive behavior that is.

Watching this one reach out and break production servers would result in $,$$$,$$$,$$$ damages really fast.

Re: No longer required

[jcdr]

If I understand you correctly, this confirm the possibility that Microsoft have the possibility to manage 2 classes of keys: the first keys class is the current one where Microsoft is willing to sign binaries not from them; the second keys class could be for 'lock in' machines where Microsoft keep full control on.

To be fair, I think that the 'lock in' keys class it's a logical step for Microsoft branded machines. But this could go very wrong if OEMs start to do the same by using the argument 'designed for Microsoft OS' because this will add 'and nothing else could run on it' to the argument. I suspect that the goal is to reserve top machines specifications to Microsoft and to only allow degraded specifications machines to run other OS. The market already have products with this kind of bias.

And yes, you are right. This evil plan was draw decades ago with the deep knowledge that it will only work at the time when the security feature will be so standard that no chip will be manufactured without it anymore.

The fact that Windows 10 is announced to be virtually free for almost everyone having a previous copy of Windows somewhere is a clear singe that the time have changed. The OS have no value anymore. The number of new software that only run on a single OS will drastically shrink, exacerbating the OS value problem. So the 'lock in' machines with exclusive specifications will be the only market where Microsoft could make money from the OS.

From my analysis, the Microsoft message is dual: 1) you don't need anything other that Windows 10 as it's virtually free for everyone; 2) You need Windows 10 to run top specifications machines. OEM market will almost certainly split the product range accordingly if no reaction prevent this.

Re:No longer required

Their word of honour.

Re:No longer required

Intel Boot Agent updates the cert store if it can reach an appropriate server on the network (well, or rather, one is signaled via dhcp), so you need to be very careful about what networks you attach to as well.

Re:I dub all unswitchable hardware: disposable

[Lunix+Nutcase]

I'm pretty sure Stallman would not support your assertion that purchasing from Amazon is "freedom".

Good

Because malware is sneaking into my boot process all the time!

Re:Good

http://it.slashdot.org/story/1...

Re: Good

it's a think of the children argument. yea there is bios malware, will this stop it? probably not.

Microsoft afraid of the YOTLD?

[Jax+Omen]

Nah, couldn't be.

I don't buy prebuilts but any manufacturer that locks secureboot will no longer be recommended to any of my non-tech-savvy friends.

Re:Microsoft afraid of the YOTLD?

[Lunix+Nutcase]

Microsoft afraid of the YOTLD?

Nah, couldn't be.

Maybe in some alternate universe, but certainly not in this one.

I don't buy prebuilts but any manufacturer that locks secureboot will no longer be recommended to any of my non-tech-savvy friends.

So they'll lose what? 2 whole sales out of 10s of millions?

Re:Microsoft afraid of the YOTLD?

> I don't buy prebuilts but any manufacturer that locks secureboot will no longer be recommended to any of my non-tech-savvy friends.

The question is how much money is MS going to give vendors to induce them to boot lock the computers they sell?
Otherwise there is no reason for them to deliberately reduce the size of their customer pool, all downside no upside unless MS sweetens the pot.

Re:Microsoft afraid of the YOTLD?

[ganjadude]

you mean you dont build your friends machines??? pfft

Re:Microsoft afraid of the YOTLD?

[Jax+Omen]

Unfortunately most of my friends demand laptops.

I build desktops for the few family members who see the value in them.

Re:Microsoft afraid of the YOTLD?

That's not necessarily true. Never underestimate the technical ignorance of marketing and sales people and their ability to spin a limitation as a security feature.

Re:Microsoft afraid of the YOTLD?

[ckatko]

Everyone else is forgetting that plenty of off-the-shelf components get used for Linux servers, desktops, and research systems all the time. If motherboard producers don't want the last of their sales to fly away to the mobile market, they're obviously not going to toss away alternative operating systems.

In other words, Microsoft can say whatever the hell they like. Hardware manufactures want money. They don't give two shits whether it comes from Windows or Potato-OS.

Make a wiki

And it will also lead to a drop in support for said hardware.

I suggest that the community at large come together to create a wiki or website to list the dangers of such hardware in limiting your freedom to do what you wish.

If it was a Microsoft device, I couldn't care less.
But this is 3rd party hardware, I can and should be able to do whatever I please.

Prebuilts

[gyroheli]

People still buy them? They just aren't worth the money they cost. Cheap out on the motherboard, they don't display that in the specs. If it has a dedicated GPU the price usually goes up a lot more than the value of the card. You pay for what you don't need, somtimes they stick some high end i7 cpu with the lowest x50 series Nvidia GPU. It all seems like a scam to me for those that lack knowledge of hardware.

Re:Prebuilts

[dfm3]

Yes, but if you want a laptop, I'm afraid your options in the assemble-your-own department are somewhat lacking...

Re:Prebuilts

those that lack knowledge of hardware

So pretty much everyone, then.

Re:Prebuilts

Never bought a prebuilt, but many are quite happy to pay for the convenience, and not everyone has the same needs. Like, for example, they might need a high end processor, but not a high end GPU because they use their machine for statistical analysis, not games.

Re:Prebuilts

Search for "Laptop Barebone"

Re:I dub all unswitchable hardware: disposable

Exactly. In a slightly less antagonistic tone: don't buy equipment that does not meet your needs (Duh).

I can't wait for the Linus Torvalds rant over this

Grabs popcorn.

You can currently cryptographically sign a Linux kernel to secure boot, You can install them alongside, or overwrite the windows signature (keep in mind, these keys are your new keys to the windows os. It's not truly keyless, so I would suggest add them alongside.) but most I.T. guys aren't even smart enough to know how it's done. It's no easy task even for Linux people. I currently make 6 figures in a support job and it was difficult for me. I've attempted it only once and was successful, but it is so not user friendly even to smart tech people. I would go as far as to say that even less than 1% of people will ever do it. The other hassle is, if you ever update your kernel in Linux which happens way more than in Windows, you have to re-sign against the new one and re-add the keys all over again alongside or overwrite.

However, I still have the ability to do it, and that's what's important. Make no mistake. This is a literal and direct attack on Linux. OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off. This is Microsoft's attempt at the final nail in the coffin of Linux.

Re:I dub all unswitchable hardware: disposable

[TechCurmudgeon]

Unfortunately the vast majority of PC buyers are unaware and/or don't care and will buy that crap. They'll pay again when it comes time to have their computer serviced. I will only buy re-configurable and repairable hardware. I've built PCs before and I'll do it again. Not surprised to see that Microsoft's venture into openness was so fleeting.

No boot?

"the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot"

Does that mean that IF malware infects the bootloader, the OS will not boot, BRICKING IT? Seems like an easy way for grandmothers to lose their whole computer with a click of the mouse.

Re:No boot?

[sjames]

You got it! We had to destroy the laptop in order to save it...

Re:No boot?

[diamondmagic]

Presumably that's better than having silent spyware like a key logger, which can cause significant financial harm far in excess just buying a new laptop.

Re:No boot?

[IamTheRealMike]

I guess you'd be able to boot from a recovery USB stick/CD/etc.

Presumably the idea is malware will not be designed to infect such systems. After all being rendered unbootable is a sure way to get your victim PC taken into a repair shop, which then might submit the malware sample they find to AV vendors ...

Re:No boot?

[Dr_Barnowl]

True - the problem is not the security, the problem is who it's working for.

If this comes to pass, you'll have to beg Microsoft's permission to run any software at all on hardware locked down like this.

First, you had to switch off SecureBoot. This probably discouraged a bunch of users who may have tried Linux out. Who wants to turn off a feature that sounds all... secure.

Now, you'll have to obtain and install special signed binaries. That will be a stumbling block for a few more.

Then eventually, they'll stop signing binaries, and the only operating system that will be bootable will be Windows.

And finally, they'll change the OS not to load anything that isn't signed with an MS key. Only MS approved and certified developers (with valid Visual Studio Cloud accounts!) will be able to produce software for Windows, and sell it through the Windows App Store only.

Re:No boot?

[SuricouRaven]

Almost. If malware infects the bootloader, the OS will not boot - but that doesn't quite brick it. You can still boot off of removable media, providing the removable media contains a signed loader. This means that if you insert a Windows 8 or 10 installation CD/USBstick, or the manufacturer-supplied recovery disc (Well, the disc they make you burn to save five cents), you can boot off that and reinstall the OS. However, if you insert a linux* or Windows 7 disc, the firmware will not find a valid signature and thus will not boot.

Short version: You can reinstall from scratch, but only with an approved OS.

*There is a workaround using a shim, but MS could kill that on a whim at any time.

Re:No boot?

[SuricouRaven]

If that were the reason, it would be easy to fix:
1. Have firmware sha256sum the EFI loader. Does loader match stored key? If not, do not load it.
2. Include an option in setup for 'I just installed a new OS, update stored key on next boot.'

Re:No boot?

[Dutch+Gun]

If something has compromised your system at the boot sector level, your entire machine is now completely compromised as well. What other option is there? Give the user a warning that they'll just ignore and click through?

One would assume these computers have some sort of "rescue disc" to boot from external media, recover data, and then reinstall the OS and core software.

Re:No boot?

[Thraxy]

Meh.. My PC is worth more than my bank account and I'm not allowed credit. I'll take the spyware over the brick xD

Re:No boot?

You got it! We had to destroy the laptop in order to save it...

Sounds a bit extreme to me. But I suppose that is exactly the point. I could see poping up a "Secure boot has detected a potential security risk CONTINUE, SHUTDOWN or RUN ANTIVIRUS" type of thing, but to deliberately brick someone's machine sounds like the beginnings of a class action lawsuit. Especially considering how many times Windows Updates already bricks systems through crappy updates.

Re:No boot?

[Kjella]

"the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot"

Does that mean that IF malware infects the bootloader, the OS will not boot, BRICKING IT? Seems like an easy way for grandmothers to lose their whole computer with a click of the mouse.

You make it sound like running a corrupt/compromised system is a good thing. The system isn't supposed to let you alter the system files, but it might happen anyway for example by an exploit or mounting the drive in another computer. If it's just random bit flips I think Windows keeps backup copies anyway. If all the copies fail verification, it'll tell you the system is corrupt and insert a repair disc/USB stick with good copies. It's broken, not bricked. And whatever broke it, you probably want to fix. It's basically the less nuclear version of a wipe and reimage, the BIOS makes sure the boot loader's not compromised, the boot loader makes sure the kernel's not compromised, the kernel makes sure the modules aren't compromised and so you build a trusted zone of what's going on. Of course if you signed malware, you're pretty much screwed.

Re:No boot?

[sjames]

That could allow someone to run non-Windows on it, so that's right out.

Re:I dub all unswitchable hardware: disposable

However, RMS is smart enough that he would recognize that you have deliberately missed the point.

Re:I dub all unswitchable hardware: disposable

I think he would consider the right to purchase from Amazon a freedom, but agreed a poor choice.

Amazon was an example of a non-brick and mortar solution. Newegg has a decent returns policy perhaps they would have been a better example.

Simple Solution

[SirBitBucket]

Don't buy from any vendor that sells locked up shitware... Why anyone would buy a pre-built machines these days is beyond me. The service is terrible from every vendor, even for coporate contratcs. They install tons of crapware, and they pick the cheapest parts possible (you ever look at the PSU in a Dell or HP, etc.? It is the smallest one that could possibly do the job, made by the lowest bidder) to then charge you MORE for it. No thanks.

Re:Simple Solution

[Narcocide]

So, the 100,000 or so of us who use Linux will simply stop buying new hardware and the industry will not even notice we're gone.

Re:Simple Solution

[Narcocide]

It is naive to assume that companies selling motherboards will behave any differently from the ones selling pre-built machines when it comes down to being able to advertise their products as "windows 10 ready"

Re:Simple Solution

Don't buy from any vendor that sells locked up shitware.

Yeah, that'll work out, I'm sure. You and your three buddies go right on ahead and do that.

I mean, depending on people to act in their own interests has worked out so very well in the past.

Re:Simple Solution

[SirBitBucket]

I thought TFA said that Windows 10 ready did not require this lockdown, simply allowed it.

Re:Simple Solution

[Narcocide]

You're missing the point; you are assuming that the vendors won't all bend over backwards to make Microsoft happy, even if it means scourging the tiny percentage of the market that wants to use other operating systems on their hardware.

Re:Simple Solution

[dissy]

Replacing the Microsoft SecureBoot key with my own PKI key is perhaps #3 on the list of things I do when configuring a new computer before ever installing a hard drive or OS - following enabling vPro AMT and then the BMC manager if present.

If I am unable to replace the master SecureBoot key with my own, that machine is getting packed up and sent right back to the OEM as defective.

I only buy OEM systems for work and build systems for home use. But the HP account for work sees a couple hundred computers a year, which isn't all that many when speaking "volume purchasing", but will instantly become zero if they choose to lock me out at the BIOS level.

It's already annoying enough that they ship hard drives completely unsuitable for use and requiring formatting (we aren't large enough for custom disk images or custom SLIC BIOS entries yet) - but at least this is only an annoyance and not out right sending defective equipment, which is the only possible definition for locking you out of the system at the firmware level and not allowing any OS to boot.
(By "any" I don't mean less than one, I mean literally any OS)

Re:Simple Solution

I dont know how to rate you.. Hmmm your number of 100,000 is a little shy of ubuntu's announcement of 22,000,000 users. Thats just one distro!

On top of that 1.5% of the total desktop market is tens of millions of systems and may be pushing 100,000,000 users.

I think you, like many others look at small percentages of market share and assume it is small numbers of people.

Now, the shit will hit the fan if they try it on the servers. Linux has far more server market share.

Re:Simple Solution

[SuricouRaven]

Because for those who want laptops, build-your-own is not an option.

Re:Simple Solution

[SuricouRaven]

Allowed it, for now. But that means it would be easy for MS to apply pressure and turn 'allowed' into 'strongly encouraged.'

Re:Simple Solution

[gtall]

"Why anyone would buy a pre-built machines these days is beyond me." So, we can count you in the 1% who find a problem with this. MS knows they can get away with it. The only thing that will screw MS is for computing to move on from the PC. But business is still in MS's pocket, wants PCs, and wants someone to return the box to or get service on, so the HPs, Dells, etc. of the world will continue to support MS, they lost their souls long ago.

Re:Simple Solution

SO your source for parts to build a laptop are? where?

Please oh holy one, tell us.

Wait, you are just a dumb fuck that has zero clue..... got it. Laptops sell 2 to 1 over desktops. What loser buys a desktop anymore?

Re:Simple Solution

[tepples]

Because for those who want laptops, build-your-own is not an option.

Lumpy disagrees with your claim.

Re:Simple Solution

I thought TFA said that Windows 10 ready did not require this lockdown, simply allowed it.

Allowing what was previously forbidden is but a stop on the journey to demanding.

Slippery slope

[amorsen]

First they invented SecureBoot, but that was OK, because you could turn it off.

Then they prevented disabling it, but that was OK, because several non-Windows bootloaders are signed.

Next up will be refusing to sign the boot loaders which simply disable SecureBoot and load Linux/*BSD. That will be OK, because Ubuntu is properly signed including the kernel (I think).

After that it will only be certain commercial vendors who can get a certificate, but that will be OK, because Red Hat Enterprise Linux 8 will run, only allowing signed kernel modules.

Yes I hate slippery slope arguments too.

Re:Slippery slope

[phorm]

A Toyota isn't intended to be as general-purpose as a PC (and it still might be possible to fit one with a subaru engine). A Toyota is a vehicle, which is manufactured BY Toyota. A PC may be manufactured by pretty-much-f***ing-anyone, and shouldn't be restricted to a given operating system.

Re:Slippery slope

My Toyota doesnt run with a Subaru engine or MCU. So BFD, if you buy a Windows 10 only PC, don't be mad you can't put a Linux engine in it.

Stupidest comment of the entire thread.

Re:Slippery slope

[DRJlaw]

First they invented SecureBoot, but that was OK, because you could turn it off.

Then they prevented disabling it, but that was OK...

Because they didn't. "No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives."

They didn't prevent disabling it. They no longer mandated providing the option to disable it. If your device manufacturer suddenly decides to remove the previously mandatory "off" setting option, that's on them, not Microsoft.

We're still back at "first."

Re:Slippery slope

[IamTheRealMike]

Unfortunately, it's not really Microsoft pushing us down this slippery slope. If anything it's the NSA.

The problem is boot sector or BIOS malware is now a real thing that needs real defences. It's not some obscure academic attack any more. Securing the boot chain is the only known way to fix this.

The real issues start once malware begins using Linux to install itself. That is, "I cannot infect or modify Windows because of the secure boot check. But I can install Linux and then load a special kernel module and then make the kernel chain into the Windows boot process after modifying it". So then you start needing signed kernels to check for signed kernel modules, etc. Eventually you end up with hardware that only runs signed code, and it's not because of some evil DRM conspiracy but because the openness of the PC platform has caused it to be so thoroughly bum-fucked by malware developers. I mean what are the manufacturers meant to do? Leave their 99% Windows userbase vulnerable to spying and horrible un-removable viruses because Team Linux has never managed to get OEMs on board to make Linux laptops? Doesn't make any sense, regardless of where your software sympathies may lie.

Re:Slippery slope

And how do you know it's a windows only PC?

Re:Slippery slope

Shill detected.

Re:Slippery slope

[Grisstle]

No it doesn't but it could. I'm sure there are modders out there that would be up to the challenge of swapping a Subaru engine into a toyota.

Re:Slippery slope

[TapeCutter]

The problem is boot sector or BIOS malware is now a real thing that needs real defences. It's not some obscure academic attack any more.

Boot sector attacks have been a malware vector since..well...forever, back in the DOS3.x days we had Norton disk doctor to remove them manually.

Re:Slippery slope

[Burz]

Also if an alternative to SecureBoot were offered by a small security firm or FOSS project, how would they get their boot code signed??

Re:Slippery slope

I've seen it done with a Mitsubishi Evo engine in a Toyota Camry.
When it comes to customizing cars just about anything goes.

Re:Slippery slope

[nukenerd]

My Toyota doesnt run with a Subaru engine.

You underestimate car enthusiasts. They can do things like that. And Toyota does not deliberately put in features to stop them.

Re:Slippery slope

If a powerful government wants that key, they will just take it, so, if anything, this will make it easier for government agencies since they could then use the key to install anything they want and NO ONE will be able to determine if it is supposed to be there or not....

Re:Slippery slope

Oh whoah, i just bought an FR-S

Re:Slippery slope

[Lumpy]

I could install a subaru or even a Corvette engine in a toyota in a weekend. Just because you lack the education and skills on how to do it does not mean it's "impossible" or even difficult.

Engine swaps are actually quite simple to those of us that have the education. And they are highly common in the automotive world.

Re:Slippery slope

[xbytor]

Wait...
I was expecting a systemd joke here.

Re:Slippery slope

[guruevi]

If you put in the effort, it would. There are several types of cars where enthusiasts replace gasoline with diesel or even electric motors. This is akin to Subaru welding in every part of your car so that when it breaks down you have to throw away your car and replace it.

Re:Slippery slope

[guruevi]

No, if the NSA were interested at all it would be to hide a hook in the software that you can no longer inspect because it is encrypted.

Re:Slippery slope

[tepples]

If your device manufacturer suddenly decides to remove the previously mandatory "off" setting option, that's on them

And if all major makers of entry-level laptops suddenly decide to remove the off button, what should one do?

Re:Slippery slope

[dbIII]

I hope you are getting paid for making yourself look like such an utter dickhead.

Re:Slippery slope

"I mean what are the manufacturers meant to do? Leave their 99% Windows userbase vulnerable to spying and horrible un-removable viruses because Team Linux has never managed to get OEMs on board to make Linux laptops?"

Build in a simple physical button that tells UEFI that, yes, the user intends to build a new bootchain and it is ok?

Re:Slippery slope

It's not like requiring Coke to ship a can of Pepsi in every twelve-pack, but requiring Pepsi to get Coke's signature before shipping its product.

Re:Slippery slope

[mister_playboy]

My Toyota doesnt run with a Subaru engine or MCU.

Bad choice of car analogy.

https://en.wikipedia.org/wiki/...

Re:Slippery slope

It has nothing to do with NSA. There were BIOS viruses before Windows 3.1, which was before common networking. Computers used to have jumpers that disabled writing to the BIOS and to the boot sector. That stopped BIOS malware. Now-a-days motherboards have multiple BIOSes will full featured internet based applications in them. Blame feature creep. Blame business people who want to data mine every time you turn your computer on so they can advertising it as marketing point.

Re:Slippery slope

[shentino]

Swapping out an engine like that could void the warranty or invalidate vehicle safety standards. This in turn might cause trouble with the DMV keeping it registered,.

Re:Slippery slope

Stoned!

Re:Slippery slope

My Toyota doesnt run with a Subaru engine or MCU. So BFD, if you buy a Windows 10 only PC, don't be mad you can't put a Linux engine in it.

I'm assuming then that you don't have a newer GT86 Toyota, because, well, it's factory running with a Subaru engine...

http://www.carbuzz.com/special/3-Amigos-Toyota-GT-86-Scion-FR-S-Subaru-BRZ-7708029/

Re:I dub all unswitchable hardware: disposable

[rahvin112]

People predicted that this is exactly what would happen with Secure Boot. The initial support would be optional and after a time and the phasing out of older hardware the support would become mandatory. Microsoft moving to a mandatory secure boot would fall right in line with these predictions.

The next gambit in secure boot is to disallow the user putting in their own signing keys. From that point forward the only way to get an OS on a computer is with Microsoft's signature. Secure boot could be a good thing if the user was allowed total control, but microsoft shows their true goal here, which is to take total control of the PC market. Many forget that secure boot was devised at a time when Microsoft was first facing a new Linux OS challenger that they couldn't defeat with their traditional tactics. Many people don't consider this timing to be coincidental.

Re:I dub all unswitchable hardware: disposable

[MrBigInThePants]

Of course it will work.

This is essentially another form of DRM and as you well know that was and is still highly successful and completely crushed all piracy. People still actively seek out products that say "DRM Included" just so they can have the safety and security of knowing that a large corporate is having its own best interests protected at the expense of your product's usability.

Anyone with a marketing background will tell you this is a FANTASTIC idea guaranteed to succeed...if you pay them enough...

But seriously now.

The general livestock will buy the "coolest" and/or "cheapest" option and wont understand what the fuck is going on as per usual. It success or failure will be based on whether this affects the price point of the product (i.e. making it cheaper) or detrimentally effect its "coolness". (like DRM did)

And DRM still exists and are some of the most profitable platforms around. e.g. Steam, Itunes, netflix, etc.

Re:I can't wait for the Linus Torvalds rant over t

Furious self-flagellating trying to convince us how brilliant you are...

Or you just skip all the bullshit by not buying gimped hardware in the first place. Vote with your wallet and you will win eventually.

I smell a huge anti-trust case looming...

Free upgrades to carve out markets (Dumping, Limit Pricing), "we didn't do it, it was the OEM" hardware lock-ins (Exlusive Dealing, Tying)...looks like Microsoft is going back to it original business model.

I suppose its almost communist-like...so, it may be popular in China, until they nationalize the source code.

the server market cares about linux / VMware

the server market cares about linux / VMware and dell can't risk having servers that only boot windows.

Re:the server market cares about linux / VMware

the server market cares about linux / VMware and dell can't risk having servers that only boot windows.

Sure, but those will be special server boxes sold at a 500% price premium. Because servers.

Average people will be priced out of that market.

Re:the server market cares about linux / VMware

[spacepimp]

Name one enterprise willing to accept that. Dell won't piss off their customers that badly no matter how much MS offers them. It would become the new Nokia. Which OEM would accept willfully the kiss of death MS would be forcing on them?

Re:the server market cares about linux / VMware

[Prof.Phreak]

I can imagine a situation where Lenovo (or Dell, etc.) keep it unlocked for their "business" customers (e.g. Thinkpad line), and lock for everyone else... In a few years, that would pretty much kill off linux for anyone who casually wants to try it out on their then-"old" laptop.

Re:the server market cares about linux / VMware

[ihavnoid]

I can imagine a situation where they keep it LOCKED for their "business" customers and unlock for everyone else... IT will love it if they have a better way to lockdown their hardware and prevent somebody doing something stupid (or too clever) and increase their maintainence cost.

Re:the server market cares about linux / VMware

Yes, IT loves it when the Encryption Solution that boots before the OS, now prevents them from booting the computer at all. Sounds like a real winner. Devs will really love this too, because having a piece of crap boot locker has always made it easy to set up dev environments for shadow IT. IT *already* has the ability to lock down computers, hell they can give a user a session that resets every time they log on.

Remember Winmodems?

This seems like that, but for motherboards.

These, if made, will most likely be "Winbooks" - no, not WinBooks, but winbooks like chromebooks.

Probably come with 90 days Office 365. I can almost see the day when they're "free" as in beer, with a 4g cell modem (and 2 year subscription) in there as well.

No.

New desktop, laptops or tablets (excluding Kindle E-readers and Fires) purchased from Amazon.com that are "dead on arrival," arrived in damaged condition, or is still in an unopened box can be returned for a full refund within 30 days of purchase.

Here is the source.

So, you cannot test to see if you can get to the boot menu and return the item without any cost.

What will have to be done is somewhere on Linux.org or gnu.org, a list is published of who is naughty and who is nice.

Re: No.

[corychristison]

As far as I'm concerned a locked up, drm-encumbered bootloader is dead on arrival.

Re: No.

[dwywit]

That's true. You accept delivery of a computer, insert your favourite distro disc, and it won't boot.

I also build desktops for customers, and I get to decide which mainboard goes in, and which operating system is installed, and it will always be be whatever best meets the customer's needs (and pockets).

Re: No.

[Darinbob]

Use the pre-installed Windows 10 as a very slow and cumbersome boot loader?

Re:No.

[hughbar]

And pressure for all on-line retailers to add a 'secure boot status' bullet point on their detailed descriptions.

Re: No.

That only works if Microsoft continues to allow unsigned software to run within Windows.

Re:I dub all unswitchable hardware: disposable

It doesn't matter what you buy. If the locked laptop is $10 cheaper than the one where you can install a hippie OS that nobody* uses anyway, then the majority of customers will choose the cheaper device, and manufacturers of more flexible hardware will lose out in the market. In the end your choice will be to buy a locked laptop or none at all, because nobody makes an unlocked laptop anymore, for a reasonable price at least.

*) except Open Source hippies

OEMs should prepare for rage

[Dracos]

Secure Boot is clearly a clumsy means to lock out alternative OSs, and this announcement is the next step toward the untlimate in vendor lock-in.

Any OEM who doesn't implement the secure boot option (even on a single model) will face a wall of rage. I'm sure MS is offering the OEMs some type of poisoned candy to not implement it, though.

Re:OEMs should prepare for rage

[Narcocide]

The OEMs for the most part aren't even remotely frightened of the tiny percentage of us using non-Microsoft operating systems.

Re:OEMs should prepare for rage

[Dr_Barnowl]

SecureBoot is a reasonable thing. It's when it's under the control of Microsoft, rather than the owner of the hardware, that it becomes a problem.

Make sure the OS is composed of files that are cryptographically signed and entirely legit? Fine.

Define "legit" as being "only those things signed with Microsoft keys"? Not so fine.

The current solution of a Linux bootloader signed by Microsoft is a stupid, half-baked compromise. I wouldn't have settled for it - nothing less than the ability to load my own signing keys into the BIOS being mandatory for all SecureBoot installations. And of course, disabling it.

Re:OEMs should prepare for rage

OSX, IOS, Android are all non MS operating systems.

The PC platform is the last place MS is relevant and they are doing their absolute damndest to ensure they dont get pounded into oblivion by some hacker OS sneaking in and taking their last remaining market.

Re:OEMs should prepare for rage

> The OEMs for the most part aren't even remotely frightened of the tiny percentage of us using non-Microsoft operating systems.

No, but they should be frightened of the large percentage that still want to run XP and 7.

Re:OEMs should prepare for rage

[Rich0]

SecureBoot is a reasonable thing. It's when it's under the control of Microsoft, rather than the owner of the hardware, that it becomes a problem.

Make sure the OS is composed of files that are cryptographically signed and entirely legit? Fine.

Define "legit" as being "only those things signed with Microsoft keys"? Not so fine.

Yup.

Sometimes I think that there ought to be a law that if an OS comes pre-installed with any asymmetric keys, the owner of the PC must be provided with a copy of any related keys. So, if you put a key that verifies firmware updates, then the owner gets the private key needed to sign firmware updates.

By all means tailor each key to each install so that knowledge of it doesn't compromise other PCs. By all means provide those keys on separate media so that malware can't use them to bypass security.

This would solve a lot of problems though. In addition to giving people control over their own hardware and defeating stuff like trusted computing / DRM, it would also force a huge change in how CAs operate, since they couldn't have their keys pre-installed. A CA would actually have to compete to demonstrate its trustworthiness to anybody it wants to get to install its key, and users wouldn't have laundry lists of keys from companies they've never heard of installed on their systems.

Re:I can't wait for the Linus Torvalds rant over t

[rudy_wayne]

Make no mistake. This is a literal and direct attack on Linux. OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off. This is Microsoft's attempt at the final nail in the coffin of Linux.

This isn't about Linux (although I'm sure Microsoft's hatred of Linux has something to do with it). People who buy a pre-built system from one of the big OEMs have no intention of installing an alternative OS, so this is a non-issue for them.

If you do buy a pre-built system from one of the big OEMs so you can put Linux on it, you're too stupid to be allowed near a computer.

Buy the components and build it yourself and you won't be bothered with any of this bullshit. Anyone who knows which end of a screwdriver to hold can easily do it.

Re:I can't wait for the Linus Torvalds rant over t

[Dr_Barnowl]

Quite. This was forseen. This is just another whack of the mallet driving the thin end of the wedge a bit deeper.

First you had to turn off a feature that said "Secure Boot". How many standard users are going to turn that off?

Now there will probably be "considerations" for those who make their hardware less easy to boot Linux on.

"Oh, yes, fewer config options make things more reliable - less to misconfigure, less to go wrong - we prefer that kind of device, gives Windows a good name by being more reliable..."

Re:I dub all unswitchable hardware: disposable

It doesn't matter what you buy. If the locked laptop is $10 cheaper than the one where you can install a hippie OS that nobody* uses anyway, then the majority of customers will choose the cheaper device, and manufacturers of more flexible hardware will lose out in the market.

Exactly so.

The end result of this road is mad-expensive hardware for servers at a 500% price premium, and low end locked down hardware for consumers that can't boot "inconvenient" OSs that give the user control of their own computer.

People who say "but servers!" miss the point: the average Joe will get priced out of that market.

After that, it's not long until online gaming requires an "authenticated" system. Then banking and online shopping, because safety.

That's where this road goes. Just wait and watch.

Re:I dub all unswitchable hardware: disposable

[Aighearach]

Stallman came out against buying stuff at Amazon. I don't think he actually came out against returning them, which is what was said.

If you find yourself in the situation of having bought something from Amazon, received it, and felt less free, I think Stallman might agree that the right to return the item "is a freedom we can defend." Hopefully then you'll buy something somewhere else.

I know it isn't Amazon granting my right to return, it is consumer protection laws.

Re: I dub all unswitchable hardware: disposable

And the average person cares about what Stallman thinks because....???

Systemd linux will be the only one allowed

Systemd linux will be the only one allowed

This means...

You will most likely also not be able to reinstall Windows 10 if anything goes wrong with the HDD. Because secure boot prevented me from even booting to a USB flash drive that contained the ISO/installer of Windows 10 tech preview on my Windows 8 tablet, had to disable it in order to install it.
Which means these devices/computers, when they fail, it's all over and you need to buy a new one. This in turn will make more people build their own PC.
F microsoft and any company who do not allow disable secure boot.

And the Federal Trade Commission did NOTHING!

[BrendaEM]

The FTC, who's job it is to pander to the needs of every monopoly put their hands in their pockets, as hardware that had once been open--was taken by Microsoft.

FTC, please get off of your knees for once, and do something.

Re:And the Federal Trade Commission did NOTHING!

Maybe you should soon buy hardware based on IBM power8 (OpenPower), which is coming out in 3 months or so, at least for desktop/servers. But for laptops, I don't see a solution.

Re:I dub all unswitchable hardware: disposable

[SuricouRaven]

If I were an Evil Executive at Microsoft, my next gambit would be to apply some unofficial, off-the-record pressure to the OEMs to make sure they have no means of disabling secure boot. Requiring this outright would be legally risky, could come back to bite them in future antitrust cases, but nothing to stop them from some deniable hints that it might help get a cheaper license deal.

Toooold Youuu!

[linebackn]

Yep, told you so.

I'd hope somebody keeps a public list of machines that are locked down. Although that probably won't keep the masses from buying.

This is "optional" for OEMs in the same way as they have the option to have MS break their legs or not.

Re:Toooold Youuu!

We need a short list already of devices with a legacy bios support.Most if not ALL tablets(which replace most laptops) have no legacy bios support and your lucky if you csan get a linux to install.

New hardware is so fast and power efficient; I'd pay $100 more for the same tablet(s) that one could somehow intall XP SP2 tablet(use now on x200, way way better than win8.1) onto.

Re:I dub all unswitchable hardware: disposable

The vast majority of PC buyers will never want the missing feature, and will be protected from social engineering attacks that would turn it off. As for a compromised OS bricking the system? Well, that's probably actually a good thing for most people. Much better than their bank account getting siphoned.

and laptops?

[Mirar]

I don't know about you, but I really don't have time to put together a laptop from components...

Re:and laptops?

All my laptops are artisan. I lovingly craft them myself from fresh arugula and shaved parmesan.

Re:and laptops?

[Lumpy]

I do.

http://www.amazon.com/MSI-937-...

Start there and buy the other parts. anyone semi competent can build one in under an hour. Guarentee MSI bare bones systems will not have secure boot locked and enforced on you.

Re:and laptops?

[Zontar+The+Mindless]

Special Shipping Information: Due to federal and international regulations, this product can only be shipped within the 50 states.

Re:and laptops?

[MrL0G1C]

You can get a laptop with same screen+resolution, including HDD+MEM+CPU+DVD+OS for the same price so the one linked is dreadfully poor value.

Re:and laptops?

[dargaud]

I currently live in Europe and tried to get a Linux Laptop about 2 years ago. I tried several barebone sellers, but there were always problems: either they wouldn't ship to my country, or they'd force the local keyboard upon me, but I wanted a standard US qwerty. In the end, the ONLY seller of Linux laptops that had what I wanted was... Dell ! And that's what I got for home, work and wife. Works fine with Ubuntu.

hmm, laptops?

[Mirar]

How will I get my laptop when they start doing that? I need Linux for work.

I don't want to lock down to expensive Dell laptops.

Re:hmm, laptops?

[johanw]

"I need Linux for work."

Run it in a virtual machine.

New AnitMicrosoft campaign.

[MouseTheLuckyDog]

Walk into the store with your phone recording. Ask the clerk if the computer's UEFI is locked, because you want to install Ubuntu.

If the clerk says yes, buy it. If it turns out you can't install Ubuntu then return it. Demand no restocking fee. If they balk play the recording.

Even better if the clerk says, yes I run Mint ( or something ) on the same computer at home. As if anyone believes that anymore.

Re:New AnitMicrosoft campaign.

[gtall]

The store's attorneys will just claim you faked the recording and invite you to spend the next 3 years trying to get your $1000 back.

Re:New AnitMicrosoft campaign.

Yet another reason to use a credit card. I have never had any problem getting my CC company to issue a chargeback.

Re:New AnitMicrosoft campaign.

[MouseTheLuckyDog]

At which point I would suggest that they talk to our states attorney general.

I don't know that many store managers who would in the first place.

BTW make sure to get the clerks info, store id, name whatever.

You also disable UEFI for driver updates

[msobkow]

When I tried to update the graphics drivers for my Lenovo laptop, I got undocumented errors and a rollback. Later, on a whim, I disabled UEFI, and the drivers installed with no problem. I re-enabled UEFI afterwards, and the system still runs fine.

So unless you trust your vendor to deliver absolutely PERFECT drivers that will NEVER need updating, you wouldn't want a system that prevents you from disabling UEFI.

Isn't there a mechanism present to manage UEFI?

[mmell]

I'd thought there would be a way for a system's owner to import their own keys to enable UEFI booting with the OS of their choice? Also, didn't I hear that the major Linux distros have such keys available already (although I don't know about implemented)?

Re:Isn't there a mechanism present to manage UEFI?

On my Acer laptop from 2 years ago, the option to import keys was disabled in the BIOS from what I could tell. There were pages talking about flashing hacked firmware to reenable but it's BS that anyone even disabled it.

Re:Isn't there a mechanism present to manage UEFI?

Such a mechanism was required for Windows 8. It's no longer required for Windows 10. And probably will be required not to exist for Windows 14 and all applications in Windows 15 must be installed from the Windows App store, which will required a yearly $98 listing fee (for security testing of course). Businesses will be able to negotiate their own, private app stores. You won't.

I'm expecting some distros to start asking for donations to get your app in their official repositories too. They can't stop not copying Apple and Microsoft, even when the distros had better versions first

Multi-pronged attack

SystemD takeover of all linux distros is one prong (makes linux not unix and thus not wanted on servers)
This is another prong.
A third is intel AMT (spyware in the hardware)

Don't ask for the Justice Dept for help.

Microsoft is doing this at the NSA's request and our government will not launch any kind of antitrust investigation. All new computers must run an OS with a government backdoor installed.

Re:I dub all unswitchable hardware: disposable

[Beck_Neard]

No, no, no, you are paranoid and delusional to think that they will keep you from disabling secure boot. Microsoft only cares about your security and safety, and you're a conspiracy theorist if you think otherwise.

Funny but could become true in the future

[ArcadeMan]

Want to install Linux? Buy a Mac!

Re:Funny but could become true in the future

Want to install Linux? Buy a Mac!

Apple would give even less of a shit about breaking Linux installs than M$ does. Hell, even Windows doesn't run right on Apple hardware; the Windows drivers don't support all the features of the hardware.

Time to switch to Linux now....

Yeah, I have been delaying it. However, I have enough computers now that I can use maybe one with windows for non-steam games and the rest with linux and a windows virtual machine if need be for "special" (as in retarded) software I need still.

Stick it in your ear MS

Re:I can't wait for the Linus Torvalds rant over t

This isn't about Linux (although I'm sure Microsoft's hatred of Linux has something to do with it). People who buy a pre-built system from one of the big OEMs have no intention of installing an alternative OS, so this is a non-issue for them.

They might not have such intentions at the time of purchasing the machine, but if they later decide to try some alternatives to the pre-installed Microsoft OS, they will find out that it is not possible because of the "secure boot" DRM. I have seen many people give up on Linux because of having unsupported hardware, which was previously bought without considering that compatibility with a non-Windows operating system could be an issue in the future.

Not Allowed in Europe

You can bet your bottom dollar that any OEM that does this, will be banned from trading in the EU.

Re:I dub all unswitchable hardware: disposable

The vast majority of PC buyers will never want the missing feature, and will be protected from social engineering attacks that would turn it off. As for a compromised OS bricking the system? Well, that's probably actually a good thing for most people. Much better than their bank account getting siphoned.

And while they're happily patting themselves on the back for their purchase of a secure boot computer, they will continue to blythley visit evey malware infested site known.

Bootablt utilities.

[redback]

For most people, its not about alternative operating systems.

Its about when they break the thing and bring it to me, and I cant fix it because I cant run any boot disks on it.

Re:Bootablt utilities.

Shame on you for not using Genuine Windows (tm) boot disks.

Re:Bootablt utilities.

[nctritech]

A thousand times this. Tons of diagnostic and repair software runs outside of Windows environments. Windows has also been removing all troubleshooting and repair capabilities from consumer operating systems since Windows 8. No safe mode (unless you can boot into normal mode, how fucking useless) and no boot menu (unless you can boot into normal mode AGAIN, and no, *the shift-F8 thing doesn't actually work*) and not even any boot media included with the computers anymore. Hard drive failure? Fuck you and your data too, plus you don't get any media to install with once you replace the drive. Go buy a new computer!

There will be corporate heads on a pike when normal people start being bitten hard by this nonsense.

Re:I can't wait for the Linus Torvalds rant over t

[Dutch+Gun]

Microsoft is now saying that OEM hardware that doesn't allow disabling secure boot would still be "Windows 10 certified". What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes? I have a hard time seeing this happening for PCs. It seems more likely that this is actually intended for smaller-form-factor hardware like phones or tablets, similar to how Apple attempts to lock down the devices they sell. It's hard to say since all versions of the new OS are simply called "Windows 10".

Regarding PCs though, I can think of nothing that would generate a new anti-trust lawsuit faster than this. MS had better walk damn carefully here if they do ANYTHING that could be perceived as unfairly locking Linux and other OSes from PC hardware. Frankly, I think the first OEM to try this is going to generate a shitstorm of controversy the moment an unsuspecting user tries to install Linux in a secondary partition or to replace Windows altogether. While it's good to be aware of this and watch to see how things go, I don't think the sky is falling quite yet.

So, that being said... Can anyone explain to me why Microsoft can use the Secure Boot feature but Linux can't offer the same as an "out of the box" experience? Or why Windows can apparently be patched and continue to work, while Linux somehow can't? Is this true for Linux in general, or just for people who modify and compile their own kernel (which I'm guessing probably isn't that many)?

Re:I dub all unswitchable hardware: disposable

[maorb]

Except the only difference between the locked laptop and the unlocked laptop is in the firmware, not the hardware. Given the fact that all current systems allow disabling Secure Boot we know that providing the option to disable Secure Boot is not technically infeasible (read difficult to do). So the price difference between a locked laptop and an unlocked laptop would be pennies at most when spread out across the number sold.

I have a hard time imagining that a company would have to spend more than $500 in their software engineers time to implement this particular feature, so if implementing it increases the sales of computers with that firmware by even 34 units, its paid for itself (assuming an average of $15 profit per computer sold, which is slightly lower than "TheGuardian.com" calculated in 2013 based on publicly available financial data.)

Trade-in value

[PPH]

What will a locked secure boot loader (as opposed to one where UEFI can be switched off) do to the trade-in value for a used system?

Microsoft prohibited disabling UEFI Secure Boot on ARM devices back when Windows 8 support for them came out. And from what I have heard, this is one reason that old ARM hardware has a near zero value on the used equipment market. Meanwhile, x86 stuff still has a second life and some value.

Something to think about when selecting a Windows 10 system.

Re:I can't wait for the Linus Torvalds rant over t

[Grisstle]

I've been receiving batches of HP Probooks that have secureboot turned off by default. For the past couple years my staff had to turn off secureboot and uefi manually. I don't know if it's just HP or other manufacturers.

Re: I dub all unswitchable hardware: disposable

[BBird]

he knows better

OEMs probably open to other OS vendors ...

[perpenso]

Linux is not doomed. The OEMs will probably be open to other vendors. Red Hat and Ubuntu could probably get their keys recognized by the OEM and offer factory signed binaries. This would probably work just fine for the vast majority of Linux users.

Re:OEMs probably open to other OS vendors ...

[markdavis]

This is still the wrong approach. The owner of the hardware should have the right to turn it off if they so choose. It should not be up to Microsoft. And it should not be up to the OEM. And it should not be up to carriers. And it should not be up to the government, either (might as well keep extending out the doom-and-gloom possibilities).

OEM's should listen to their customers and not Microsoft. Locking the bootloader is extremely anti-consumer and anti-competitive. The time to find out your machine is a paperweight should not be after you spent your hard-earned money buying a machine. When this whole fiasco started, there was ZERO transparency from the OEM's. You could not call Dell and ask if machine X had a locked secureboot, because the idiot support and sales people don't know. And it is not listed on the websites, the manuals, or the boxes.

Re:OEMs probably open to other OS vendors ...

[Darinbob]

This is like DRM for hardware, we don't own it but we can use it if the manufacturer gives us permission.

Re:OEMs probably open to other OS vendors ...

The NSA won't allow them to sign anything they haven't taken control of, so you'll only be able to run backdoored OSes like Redhat or Ubuntu.

Re:OEMs probably open to other OS vendors ...

What if some brilliant young programmer out there decides he wants to try his/her hand at creating his own OS? They'll never make it past the boot stage unless they puts their efforts into hacking the secure boot out of the system, which might put them off the idea entirely.

This is 100% anti-competitive.

Re:OEMs probably open to other OS vendors ...

[westlake]

OEM's should listen to their customers and not Microsoft. Locking the bootloader is extremely anti-consumer and anti-competitive.

What this means for the future of Linux and alternative OSes is unclear at best.

Those who build their own desktops will retain the ability to disable Secure Boot, since Asus or MSI doesn't know what kind of operating system you're going to load on the board. But laptops are a different story. Some laptop vendors will undoubtedly continue to ship a ''Disable'' option on Secure Boot, but vendors like HP and Dell may simply decide that closing the attack vector is more important than user freedom, particularly when the margin on PCs is so low to begin with. When every support call is measured against the handful of dollars an OEM makes on each machine, eliminating the need for such interaction is extremely attractive.

Psychological research has long confirmed the power of default settings --- ship something enabled (or disabled), and the vast majority of users will never change the option. Given that Windows machines were already required to enable Secure Boot by default, where's the security benefit in making the kill switch optional?

As far as we can tell, there isn't one.

Linux's worst-case scenario: Windows 10 makes Secure Boot mandatory, locks out other operating systems

For the vendor of a mass-market Linux laptop ---- if there is such a thing --- choosing a signed Linux OS and closing an attack vector common to both Linux and Windows makes perfect sense as well.

It is not anti-consumer and it is not anti-competitive.

OEMs are listening to their mass market customers and what these customers are saying is "Lock it down.. We don't want to tool up and poke around under the hood."

Re:OEMs probably open to other OS vendors ...

>It should not be up to Microsoft. And it should not be up to the OEM

It's Microsoft's hardware spec for a system that can run Windows. The OEM is voluntarily agreeing to build hardware that follows that hardware spec so they can sell Windows machines.

Why the fuck would anybody else get a say in it?

>Locking the bootloader is extremely anti-consumer and anti-competitive

Go back to law school. Locking out rootkits is pro-consumer; I mean really, really amazingly fucking pro-consumer. To be anti-competitive, the preponderance of the purpose of the action has to harm competitors. Since the purpose of this is to stop malware dead in its tracks, it would be nearly impossible to meet the standard to make anti-competition laws stick.

Re:OEMs probably open to other OS vendors ...

[0123456]

OEMs are listening to their mass market customers and what these customers are saying is "Lock it down.. We don't want to tool up and poke around under the hood."

Really? I've never heard a single mass market customer demand that they should be able to do less with their PC.

Fortunately, desktop PCs are only really useful for games and a few other specialized uses these days, so I can always buy an ARM next time.

Re:OEMs probably open to other OS vendors ...

[0123456]

What if some brilliant young programmer out there decides he wants to try his/her hand at creating his own OS?

They would immediately be flagged as potential terrist and be sent to Cuba.

Re:OEMs probably open to other OS vendors ...

And when their customers get pissed that a single virus bricks their computer by making a boot key unrecognizable, I'm sure the lawsuits will fly and there will suddenly be a patch to fix the problem. Oh you don't think that will happen? You've never used computers have you?

Re:OEMs probably open to other OS vendors ...

[gomiam]

Locking out rootkits is pro-consumer; I mean really, really amazingly fucking pro-consumer.

Perhaps in your fantasy world it is. In the real world it not only locks rootkits but sysadmins out. Good luck next time you want to recover that botched Windows installed with anything else than "Microsoft approved" tools. Then again, I shouldn't be surprised: your post reeks of trolling.

Re:OEMs probably open to other OS vendors ...

>In the real world it not only locks rootkits but sysadmins out. Good luck next time you want to recover that botched Windows installed with anything else than "Microsoft approved" tools.

Boot up a Windows recovery disk and then run whatever tools you want. I'm sorry, where's the "locks out sysadmins" part again?

>I shouldn't be surprised: your post reeks of trolling.

Your post reeks of being a clueless sysadmin since what I said above is blindingly obvious to a competent one.

Re:OEMs probably open to other OS vendors ...

[mrchaotica]

Red Hat and Ubuntu could probably get their keys recognized

You're completely missing the point.

Having Red Hat or Ubuntu get their keys recognized is not even slightly good enough. Every user who recompiles his kernel gets his own unique key, and needs to have that recognized! The ability for the kernel to be recompiled by the user is the entire fucking point, and is not negotiable. Therefore, secure boot is an existential threat to Free Software!

Re:OEMs probably open to other OS vendors ...

[mrchaotica]

For the vendor of a mass-market Linux laptop ---- if there is such a thing --- choosing a signed Linux OS and closing an attack vector common to both Linux and Windows makes perfect sense as well.

A Linux laptop with Secure Boot misses the point, since it prevents the user from recompiling his kernel. It's Tivoization all over again!

Re:OEMs probably open to other OS vendors ...

[gomiam]

>In the real world it not only locks rootkits but sysadmins out. Good luck next time you want to recover that botched Windows installed with anything else than "Microsoft approved" tools.

Boot up a Windows recovery disk and then run whatever tools you want. I'm sorry, where's the "locks out sysadmins" part again?

Unless, of course, said tools do not run on Windows, which is often the case.

Your post reeks of being a clueless sysadmin since what I said above is blindingly obvious to a competent one.

If only Windows recovery disks were the end-all of system administration. There is a much bigger world out there in systems administration that what your tiny windows show.

Re:OEMs probably open to other OS vendors ...

[perpenso]

Red Hat and Ubuntu could probably get their keys recognized

You're completely missing the point.

Having Red Hat or Ubuntu get their keys recognized is not even slightly good enough. Every user who recompiles his kernel gets his own unique key, and needs to have that recognized! The ability for the kernel to be recompiled by the user is the entire fucking point, and is not negotiable. Therefore, secure boot is an existential threat to Free Software!

Actually I understood the point instantly upon reading the summary. However get signed software updates and upgrades from Red Hat and Ubuntu would be just fine for most Linux users.

For others they will be inconvenienced by having to be careful to buy a non-factory locked down system or go the build-your-own route. Inconvenienced by not being able to take any retired Windows PC box and turn it into a Linux box. An inconvenience put upon a very small group so that a very large group could have better security. Regrettable but a fair tradeoff given that Linux itself will survive and continue to be available to any who want it or are curious (VM on the locked down Windows box if necessary).

As for free software ideals, that is not Dell's, HP's, etc responsibility. The free software community can put their own resources into open hardware if they want idealogical purity.

Re:OEMs probably open to other OS vendors ...

>Every user who recompiles his kernel gets his own unique key, and needs to have that recognized

If there is no legal or contractual obligation to meet that need and there is no business justification (i.e. $$$) to sell a product that meets that need, then that need is just going to go unmet now isn't it? I need a lifetime supply of free single malt scotch but I'm not getting it anytime soon.

Re:OEMs probably open to other OS vendors ...

[perpenso]

The owner of the hardware does have the right to do as they wish

And consider that the owner is not necessarily the user. In a business environment the company may not want users to disable secureboot.

Re:OEMs probably open to other OS vendors ...

[markdavis]

>"And consider that the owner is not necessarily the user. In a business environment the company may not want users to disable secureboot."

That is easy to consider. The business can then lock the BIOS with a password to prevent the user from changing the secureboot status. And I have absolutely no problem with the BIOS password failure by the user doing nasty things like semi-bricking it until the OWNER unlocks it, or some other suitably difficult-to-circumvent design (like slicking the drives, or calling for help, or whatever).

The difference is that the OWNER is in control of the options set and used, not the OEM, not Microsoft.

Re:OEMs probably open to other OS vendors ...

[perpenso]

The owner may not want to spend the time setting the password and prefer to just order it from the factory locked down. Besides the time, a cryptographic key sounds more secure than a password.

Re:OEMs probably open to other OS vendors ...

[markdavis]

>"The owner may not want to spend the time setting the password"

Freedom has a cost. It is not free, and it is not necessarily convenient.

Re:OEMs probably open to other OS vendors ...

[perpenso]

>"The owner may not want to spend the time setting the password"

Freedom has a cost. It is not free, and it is not necessarily convenient.

The real point is that for some owner perspectives the feature is a vulnerability not a freedom.

And using your own logic, freedom has a cost and is not necessarily convenient, that's also true in the sense that people who want the feature would need to do a little research before buying a box or motherboard.

Re:OEMs probably open to other OS vendors ...

[david_thornley]

More precisely, there are three groups of people here, listed in what I perceive as increasing size. People who understand what Secure Boot is and want to lock out other OSes, people who understand what Secure Boot is and want to be able to run other OSes, and the mass market. A mass market customer wouldn't argue for doing less with his or her PC, because a mass market customer wouldn't have a clue about the subject.

Re:I dub all unswitchable hardware: disposable

Microsoft doesn't (currently) require this, but some third party may make locking secure boot a requirement for paying out a subsidy in return for having their their add-on software installed. Media player software comes to mind. The content industry would, at least indirectly, certainly be willing to spend some money to make the locked hardware a little bit cheaper and ensure its success in the market.

So Red Hat and Ubuntu offer signed binaries

[perpenso]

The end result of this road is mad-expensive hardware for servers at a 500% price premium, and low end locked down hardware for consumers that can't boot "inconvenient" OSs ...

So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux uses would be just fine.

Re:So Red Hat and Ubuntu offer signed binaries

[markdavis]

>"So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux uses would be just fine."

And what about Mageia?
And what about FreeBSD?
And what about FreeDOS?
And what about VMWare VSX?
And what about that hard drive diagnostic disc?
And what about that RAID controller utility?
And what about any number of many dozens of OSes, utilities, and distros?

The "solution" is not to try and get everyone to play by the stupid secureboot "rules" that MS is trying to force on everyone. The solution is to have ALL machines give the owner of the machine the CHOICE to decide if they want secureboot on or off.

Microsoft saying it is "optional" means it absolutely won't be optional when they start putting behind-the-scenes (and probably illegal) pressure on the OEM's to start the lockdown.

Re:So Red Hat and Ubuntu offer signed binaries

[Darinbob]

But this costs the vendors some money, whereas just ignoring those unix people is free.

Re:So Red Hat and Ubuntu offer signed binaries

[Darinbob]

This should logically not even be up to Microsoft. They're inserting themselves between the customers and the vendors when not asked to do so. They get away with this because they've maintained their OEM practices that have been ruled anti-competitive by the courts. The US will never do it, but if the EU again got the guts to sue Microsoft it wouldn't make a difference because it would take so long that they'd be onto Windows 18 already, and Microsoft would just claim that they're sorry and they won't do it again.

Re:So Red Hat and Ubuntu offer signed binaries

This should logically not even be up to Microsoft. They're inserting themselves between the customers and the vendors when not asked to do so. They get away with this because they've maintained their OEM practices that have been ruled anti-competitive by the courts. The US will never do it, but if the EU again got the guts to sue Microsoft it wouldn't make a difference because it would take so long that they'd be onto Windows 18 already, and Microsoft would just claim that they're sorry and they won't do it again.

I can just see the courtroom now:

Linux guy: Mom, M$ is being anti-competitive again!
Judge: M$, are you being naughty again? What do you have to say for yourself?
M$: Anti-competitive means doing something designed primarily to damage the competition. This is a change to prevent 99% of malware from running.
Linux guy: It does damage the competition! It locks out Linux!
M$: Not it's primary purpose and we don't have any legal contracts or obligations to support non-M$ operating systems. Besides, the OEM gets to make the decision, not us.
Judge: Case dismissed.

Re:So Red Hat and Ubuntu offer signed binaries

[dhasenan]

You use a shim bootloader (or GRUB) signed by Canonical, which optionally loads whichever bootloader you normally use. This gives you no security benefits and only serves as a workaround for secure boot.

Granted, this only works for hardware vendors who work with Canonical (or Red Hat or what have you) and relies on them producing a bootloader that works with the operating system you wish to use. GRUB supports the "chainloader" command, but it's possible that hardware vendors might force Canonical to disable this with their signed binaries.

Canonical has spoken about the possibility of distributing a shim bootloader signed with Microsoft's key, too.

All of these are workarounds that make UEFI security worthless. It's better to be able to turn off security or manually import a key than to use a bootloader that will happily load anything and is signed with the same key that restrictive bootloaders are.

Re:So Red Hat and Ubuntu offer signed binaries

[perpenso]

But this costs the vendors some money, whereas just ignoring those unix people is free.

That's why I specifically mentioned Red Hat and Ubuntu. They can afford to make it worth the vendor's time. I'm not saying Linux will be the same, just that it will survive.

Also given the existing support for the BYO hobbyist crowd I expect motherboard vendors will have some models that are not locked down at the factory. But for someone recycling an old Windows box, they will probably have to go with a big well financed distro like above.

Re:So Red Hat and Ubuntu offer signed binaries

It won't kill Linux. But it will kill the HURD, and Free Software in general -- the ability to boot your modifications being crucial to freedom.

Re:So Red Hat and Ubuntu offer signed binaries

No it isn't people don't get those computers from nowhere.

Re:So Red Hat and Ubuntu offer signed binaries

[mrchaotica]

And what about any individual user, even one who uses Red Hat or Ubuntu, who has the audacity to actually want to exercise his rights under the GPL and recompile his kernel?

Re:So Red Hat and Ubuntu offer signed binaries

[perpenso]

And what about any individual user, even one who uses Red Hat or Ubuntu, who has the audacity to actually want to exercise his rights under the GPL and recompile his kernel?

Then buy a machine that was not built to be a dedicated Windows box. Motherboard vendors will continue to make boards where secureboot is absent or configurable. They already cater to the build-your-own and tweaking segments.

More importantly its not Dell's or HP's or whoever's mission to promote and support the GPL. Free Software advocates can donate their own time and money to open hardware projects, support other vendors who cater to the Linux community, etc.

Re:So Red Hat and Ubuntu offer signed binaries

[markdavis]

>"Then buy a machine that was not built to be a dedicated Windows box. Motherboard vendors will continue to make boards where secureboot is absent or configurable. They already cater to the build-your-own and tweaking segments."

Are there boxes NOT built to be dedicated MS-Windows machines? How many are there? How about laptops? Last time I checked stores, there were exactly zero non-Apple machines that were sold that came without MS-Windows installed.

Consumers should not be be relegated to a very, very, very few models of computers, sold only online, and often without the features they want, just because they want the ability to turn off a simple feature in the BIOS that a convicted monopoly developed and wants to force down everyone's throats. There is absolutely no good reason secure boot should be locked on.

Re:So Red Hat and Ubuntu offer signed binaries

[ccanucs]

Yes - powernotebooks for example offers notebooks built to your specification without any operating system at all. Your choice. OK - so that's online, but it's not "very, very, very few". They are only one of a good number of suppliers of notebooks that let you specify what you want and do not lock you in to Windoze.

Re:So Red Hat and Ubuntu offer signed binaries

[perpenso]

There is absolutely no good reason secure boot should be locked on.

One counterexample: The user of a computer is not necessarily the owner of a computer. For example a business may not want to allow an employee to disable secureboot.

Re:So Red Hat and Ubuntu offer signed binaries

[markdavis]

>"One counterexample: The user of a computer is not necessarily the owner of a computer. For example a business may not want to allow an employee to disable secureboot."

Then the owner places a password protection on the BIOS and that prevents disabling secureboot, if that is their desire. I have no problem with password protection of the BIOS being strong. As long as the fate of the computer and its settings are in the hands of the owner.

Re:So Red Hat and Ubuntu offer signed binaries

[perpenso]

Then the owner places a password protection on the BIOS and that prevents disabling secureboot, if that is their desire.

The owner may prefer not spending the time to do so, it being far more convenient to just buy a factory locked down box. Plus BIOS passwords can be worked around, jumpers, batteries, etc.

Re:So Red Hat and Ubuntu offer signed binaries

Why do you keep repeating this same BS again and again? I just read down the page and saw you say the same crap at least five times.

When you first raised the point, you were quite clearly rebutted. The solution is to allow the OWNER of the computer to lock the BIOS using a password in exactly the same way computers are currently secured. No need for secureboot at all.

Re:So Red Hat and Ubuntu offer signed binaries

[markdavis]

>" Plus BIOS passwords can be worked around, jumpers, batteries, etc."

If designed properly, they would be no easier to work around than secureboot, itself. And still give control to the owner, not the OEM and not Microsoft.

Re:So Red Hat and Ubuntu offer signed binaries

[riondluz]

I suppose that will finally put the systemd
flame-war to bed; drat!

Disposable, and "Not A Personal Computer"

[Burz]

There should be a permanent sh!tlist pinned to the top of Slashdot with any vendor that promotes this scheme for "PCs".

Microsoft's long-time disruptive technology shark in the water was that they promoted a platform that was just open enough to let techies (and 3rd party vendors) on a budget customize the systems however they need. This is the essence of a "personal computer", for the MS camp at least. Now MS has jumped their own shark.

Their tepid claims of being FOSS-friendly are being shown as ultimately false. Like Apple, they still won't incorporate open A/V formats into their products and their OSes will tell you an inserted Linux-formatted volume "must be formatted before use". Heaven forbid if I ever give an EXT3 formatted flash drive to an Android user, and they decide someday to look at it with Windows. They are similarly hostile when it comes to Linux multiboot setups. Its wilful negligence that still reigns in Redmond and must be fought with tooth and nail to gain any concession.

And how necessary for security are these firmware-level lockouts?? They are not! Qubes OS employs a scheme that, in combination with a TPM, prevents a computer from being able to reproduce a chosen passphrase if its been tampered-with. No doubt, the MS excuse will be that the consumer or administrator can't be bothered to remember a sentence to verify system integrity.

I suggest rallying around vendors like this: https://www.crowdsupply.com/pu...
Eventually, we should pressure the market to open up the whole damn stack; We will probably be forced to.

Re:Disposable, and "Not A Personal Computer"

[skegg]

There should be a permanent sh!tlist pinned to the top of Slashdot with any vendor that promotes this scheme for "PCs".

Yep, second this.

Given so many of us here on Slashdot are the go-to guys / gals for tech with our families and friends, we could certainly hit the manufacturer's where it hurts ... in their hip-pockets! Bringing any such list to the attention of manufacturers may even dissuade them from attempting this. (?)

Re:Disposable, and "Not A Personal Computer"

[nateman1352]

I suggest rallying around vendors like this: https://www.crowdsupply.com/pu...

Honestly I think those guys are a bunch of hypocrites. They make a big deal about openness and evil binary blobs etc. But last I checked I don't see their board design schematics, layout files, CAD drawings for the chassis, etc. available anywhere under an open source license. They make a big deal about needing open source to foil NSA backdoors... what about NSA backdoors baked in to the board design? A covert NFC chip can violate privacy just as easily.

Moreover, even if you had all the source code for every single byte of code, how can you trust the binaries that were pre-installed by these guys? Should we really expect every end user to recompile everything and crack open the case and use a flash programmer to reflash everything (flash programmers are spendy by the way.) Also, even if it is open source we won't find all the security vulnerabilities in the code anyway (see heart bleed.)

Call me crazy, but I respect IHVs wanting to have the ability to patch hardware issues on devices that have already shipped. Remember the Pentium FDIV bug? Intel has had up-datable microcode ever since then for a reason. Having hardware be patchable like that creates binary blobs of out necessity. I guess I'm just too pragmatic or something.

Re:Disposable, and "Not A Personal Computer"

[Burz]

I suggest rallying around vendors like this: https://www.crowdsupply.com/pu...

Honestly I think those guys are a bunch of hypocrites. They make a big deal about openness and evil binary blobs etc. But last I checked I don't see their board design schematics, layout files, CAD drawings for the chassis, etc. available anywhere under an open source license.

Honestly, I don't think anyone has raised the question with them. They have responded very well to the concerns of Qubes users, developers and other communities. Something tells me they would love to emulate the Apple of the 1970s and supply schematics.

Call me crazy, but I respect IHVs wanting to have the ability to patch hardware issues on devices that have already shipped. Remember the Pentium FDIV bug? Intel has had up-datable microcode ever since then for a reason. Having hardware be patchable like that creates binary blobs of out necessity. I guess I'm just too pragmatic or something.

I don't get this part. You're against closed design for motherboards but not for firmware?

The hypocrisy charge doesn't hold. Purism is a tiny startup and they are not going to be able to deliver the whole kit and kaboodle down to the last transistor to you immediately. In the meantime, we can have hardware whose documentation is thorough and therefore FOSS-friendly with no mystery drivers; We can have all open software and firmware on a powerful system if Intel is willing.

Re:I dub all unswitchable hardware: disposable

[Burz]

The vast majority of PC buyers will never want the missing feature, and will be protected from social engineering attacks that would turn it off. As for a compromised OS bricking the system? Well, that's probably actually a good thing for most people. Much better than their bank account getting siphoned.

I think you mean its better for MS and vendor bank accounts, not ours.

Re:I can't wait for the Linus Torvalds rant over t

[perpenso]

Or Red Hat and Ubuntu establish relations with OEMs and see that factory signed Linux binaries work just fine. Would suck for kernel devs but would probably work just fine for most Linux users. Linux is not doomed.

Actively Trying to kill off the desktop PC

Really with desktop sales as they are, the winning strategy is to make them even less attractive?

Who will even want to use a desktop when phones and tablets have the same horsepower? Why would anyone put up with this nonsense?

Less competition for Linux Ready Systems

[RichMan]

So those systems that are Windows 10 locked will be unable to run Linux. This is great for those suppliers that support Linux as they will effectively have less competition.

not really optional

I bet microsoft has an agreement with OEMs to not really add that option. By "leaving" it to OEMs, microsoft can deflect any involvement in the matter to the OEMs. OEMs do not care about linux users anyway do no loss for them.

Re:I can't wait for the Linus Torvalds rant over t

[nukenerd]

Make no mistake. This is a literal and direct attack on Linux.

This isn't about Linux. People who buy a pre-built system from one of the big OEMs have no intention of installing an alternative OS, so this is a non-issue for them.

We nearly all started with a pre-built system. What Microsoft want is to prevent someone with such a system from trying out Linux, perhaps with a live CD, and liking it.

I started with a pre-built (did not have the knowledge back then to try anything else) pe-loaded with Windows, but have built my own ever since running Linux. Microsoft wont stop me now or ever, I am a lost cause to them; but they'd love to stop others following my path. That is what this is about.

I don't see the problem

[Thraxy]

I'm not buying a crippled system. Are you?

Re:I don't see the problem

... until there's nothing on the market BUT crippled systems. Hardware makers cater to the mass market. If the mass market buys it, we're all screwed because they won't make anything else. There might, *MIGHT* be small-time manufacturers making 5-year old tech, at 20x the price.

The linpocalypse is not upon us

[perpenso]

>"So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux users would be just fine."

And what about Mageia? And what about ...

As I said, the vast majority, not all, Linux users should be fine. The linpocalypse is not upon us. A few would need to be careful about their motherboards.

The "solution" is not to try and get everyone to play by the stupid secureboot "rules" that MS is trying to force on everyone. The solution is to have ALL machines give the owner of the machine the CHOICE to decide if they want secureboot on or off.

No. The "solution" is to give all buyers the option of buying a machine with or without secureboot locked down. There is nothing wrong with a buyer preferring to get a factory locked down box if they so choose.

Microsoft saying it is "optional" means it absolutely won't be optional when they start putting behind-the-scenes (and probably illegal) pressure on the OEM's to start the lockdown.

OEMs have already demonstrated a willingness to cater to the BYO hobbyist crowd. There is no reason to expect that consumer motherboards without a factory lock down will no longer be available.

Re:The linpocalypse is not upon us

[markdavis]

>"No. The "solution" is to give all buyers the option of buying a machine with or without secureboot locked down. There is nothing wrong with a buyer preferring to get a factory locked down box if they so choose."

Yes there is. It doesn't make sense to offer a forced secureboot machine. Highly improbably any OEM is going to offer two of the same model. Either it will be unlocked or locked and not offered both ways (almost guarantee it). And if it is locked- it is "defective by design".

Plus most consumers don't know and won't know what secure boot is until it is too late. And they won't be told it anyway, and can't find out even if they want to know... it won't be on the box, or in manuals, or on the website or even with customer support. They might decide they need to run a utility or a different OS 6 months later and they are just screwed.

Re:The linpocalypse is not upon us

[perpenso]

>"No. The "solution" is to give all buyers the option of buying a machine with or without secureboot locked down. There is nothing wrong with a buyer preferring to get a factory locked down box if they so choose."

Yes there is. It doesn't make sense to offer a forced secureboot machine.

So your politics invalidates someone else's genuine want? Some people will want the factory lockdown to enhance security. Some people think the factory lockdown of a chromebook is a good thing (yes, it can be disabled but many chromebookers are unaware or not interested in disabling it).

Highly improbably any OEM is going to offer two of the same model. Either it will be unlocked or locked and not offered both ways (almost guarantee it).

Who cares if its the same model. The fact is the same motherboard can have the firmware configured differently. There will most likely be some option to get an open system. Maybe fewer option than locked down but some options. Again, the current support for the BYO hobbyist market suggests that there is sufficient consumer interest.

And if it is locked- it is "defective by design".

That is a political judgement. A person may want a more secure Windows box and the ability to recycle the machine as a Linux box when it is replaced is a non-issue to them. Hence to them there is no defect.

Plus most consumers don't know and won't know what secure boot is until it is too late. And they won't be told it anyway, and can't find out even if they want to know... it won't be on the box, or in manuals, or on the website or even with customer support. They might decide they need to run a utility or a different OS 6 months later and they are just screwed.

Yeah, 6 months later they will suddenly hear about Linux for the first time and decide to switch. And for those who actually know about Linux and have an occasional need they will probably just run it in a VM.

And then we still have the likelihood that well financed distros like Red Hat and Ubuntu will probably have vendors support their distros. So switchers will probably be just fine even with locked down systems.

Re:The linpocalypse is not upon us

[skegg]

There is nothing wrong with a buyer preferring to get a factory locked down box if they so choose.

Yes, there is. Can you honestly not see the gradual slide towards loss of freedom?

Why not make it optional? That way, a technical person could get into the menu and disable it.
A non-technical person wouldn't even know this is possible, and leave it as default.

Problem solved, without imposing draconian measures on everyone!

Re:The linpocalypse is not upon us

[jedidiah]

> So your politics invalidates someone else's genuine want? Some people will want the factory lockdown to enhance security.

No. NO ONE wants this. NO CUSTOMER wants this. This is just something that the Ayn Rand brigade like because it allows corporations greater freedom to abuse the rest of us. That includes the paying customer that indifferent at best.

Microsoft likes this. No one else does.

Re:The linpocalypse is not upon us

[perpenso]

There is nothing wrong with a buyer preferring to get a factory locked down box if they so choose.

Yes, there is. Can you honestly not see the gradual slide towards loss of freedom?

No. I only see an inconvenience that any retired Windows PC can not be turned into a Linux box. I fully expect that consumer motherboards without a factory lockdown or with a user configurable lockdown will be available for those going the build-your-own route. Motherboard vendors already cater to the BYO/tinkering crowd.

I also expect Red Hat and Ubuntu to see that their distros will be supported by PC vendors.

So no, I don't see the loss of the freedom to run Linux on the horizon. I only see potential compatibility problems on some systems. Is this a negative, yes, but what is the other side of the equation, what is the tradeoff? A more secure Windows PC for the average user who zero interest in ever running Linux. I think that is a positive that outweigh the Linux enthusiast negative.

Why not make it optional? That way, a technical person could get into the menu and disable it. A non-technical person wouldn't even know this is possible, and leave it as default. Problem solved, without imposing draconian measures on everyone!

I'm fine with that, much as we see with chromebook. I'm just arguing that the end of the world for Linux is not upon us. Its an annoyance, an inconvenience.

Re:The linpocalypse is not upon us

[perpenso]

Some people will want the factory lockdown to enhance security.

No. NO ONE wants this. NO CUSTOMER wants this.

Easily disproven. Owners and users are not necessarily the same people. A company may not want to let its employees disable secureboot.

Re:The linpocalypse is not upon us

[RandomAdam]

But there is every reason to expect that I will no longer be able to choose from all laptops on the market and then just install linux on it like I have been doing for the last 15 years (much easier these days...everything just works TM); next year or the year after when I want to upgrade my laptop I will have to spend significantly longer looking to see which vendors supply an unlocked boot loader. If there is one available at all.

I am currently running an Asus Zenbook which is a great machine; I wonder if this will be possible in the near future, will I be able to buy a machine based on what I want or will I be restricted to 3 vendors and 4 models from each?

I have been running Ubuntu mostly; but from time to time have experimented with: Mint; Debian; Fedora; BSD; Tails and Qubes. And maybe a few others I can't remember. Are the days of trying a new OS for the weekend gone? (get spare HDD, load OS and test drive for the weekend, back to main OS HDD on Sunday night).

Re:The linpocalypse is not upon us

[perpenso]

But there is every reason to expect that I will no longer be able to choose from all laptops on the market and then just install linux on it like I have been doing for the last 15 years (much easier these days...everything just works TM);

No, there is actually every reason to believe that well funded Linux distros like Red Hat and Ubuntu will work with hardware vendors to make sure they are not locked out.

next year or the year after when I want to upgrade my laptop I will have to spend significantly longer looking to see which vendors supply an unlocked boot loader. If there is one available at all.

Yes, that is annoying. But there is a tradeoff here. Possibly inconveniencing users of smaller Linux distros unable to work with hardware vendors and people who want to compile their system code (been there) versus strengthening security on the Windows boxes used by the overwhelming majority of users. Its not unreasonable for companies who are selling dedicated Windows boxes with no promise of the ability to repurpose as Linux boxes to get on board such a tradeoff.

Are the days of trying a new OS for the weekend gone? (get spare HDD, load OS and test drive for the weekend, back to main OS HDD on Sunday night).

No, run the OS in a VM.

Re:The linpocalypse is not upon us

[david_thornley]

Easily disproven? You're speculating here, not providing actual evidence. You can't disprove something with speculation.

Re:The linpocalypse is not upon us

[perpenso]

Easily disproven? You're speculating here, not providing actual evidence. You can't disprove something with speculation.

You wrote: "NO ONE wants this. NO CUSTOMER wants this." The capitalization is your emphasis. You assumed the customer is the user, I demonstrated that this is not so. Only one counterexample is necessary to disprove a claim such as yours. The existence of an employer who does not want to let employees disable secureboot is something far beyond speculation. There are already companies out there that try to lock down configuration for security and compliance reasons. I've known people who work in environments where their PCs netboot for such reasons.

Re:I can't wait for the Linus Torvalds rant over t

[nukenerd]

What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes?

Rightly or wronly, perhaps they fear that their help lines will be tied up with people who have installed Linux (or are trying to) asking for help. Perhaps this happens - I do not know, but can imagine it can in some cases.

Now they will be able to say : "It can't be done, end of story, have a nice day." [Click]

Re:I can't wait for the Linus Torvalds rant over t

[BradleyUffner]

How many standard users are going to turn that off?

How many "standard" users are going to install Linux, or even know what Linux is?

Once a user learns enough about Linux to want to install it they will undoubtedly know how to turn this feature off or install the correct keys.

Re:I dub all unswitchable hardware: disposable

don't worry, mr. evil executive and his legion of worker drones are already on that. first up will be at the low end - hardware that is getting windows for nothing, or close to it in order to compete with linux (and android, and ios for that matter) - those will be the first ones to be locked down to microsoft.

to this and future efforts of microsoft's in this arena... i have one thing to say: ''fuck you, microsoft''

Told you so.

I, and many others, predicted exactly this a few years ago. Boiling the Frog... sure, it was 'Optional' then.. the next step would be to encourage OEMs to make it on by default, then discourage turning it off, then PROHIBIT turning it off.

We're at the 2nd-last stage. Windows 11 or 12 will, mark my words, require OEMs to force UEFI on, with no way to turn it off.

Re:I dub all unswitchable hardware: disposable

[ATMAvatar]

What's more important is what the volume buyers (i.e., businesses) do. Many businesses bulk purchase hardware and re-image it. You can bet that 100+ machine purchase will generate a backlash when re-imaging it to Windows 7 so mission critical apps still work results in bricked machines.

Re:I can't wait for the Linus Torvalds rant over t

> What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes?

Most likely because Microsoft will give them an additional discount. It is how MS controls the OEMs - do it this way or lose $5 discount on every one of the million PCs you will make this year. It worked for Netbooks.

> Regarding PCs though, I can think of nothing that would generate a new anti-trust lawsuit faster than this. MS had better walk damn carefully here if they do ANYTHING that could be perceived as unfairly locking Linux and other OSes from PC hardware.

Phones are generally locked out of other OSes. Windows RT devices are locked out. XBox is locked out (as are other consoles). At one time some modems and printers were locked out from other OSes. Why do you think that PCs are special ? It will, most likely, be specific models being sold as 'Windows 10 devices'. Other models will run still other OSes.

Of course Windows XP and 7 will also be locked out. Once in 10 there will be no going back.

Re:I dub all unswitchable hardware: disposable

[macs4all]

Secure boot could be a good thing if the user was allowed total control, but microsoft shows their true goal here, which is to take total control of the PC market.

I know of at least one PC hardware OEM who won't likely play that game...

Re:I dub all unswitchable hardware: disposable

[Lead+Butthead]

... to apply some unofficial, off-the-record pressure to the OEMs ...

Pressure? Not at all. There'll just be a ... "discount" if you do. This has happened before, and it'll happen again. It's within M$'s nature to rub out its competitors by pressing every advantage; it can't help itself.

Dead body twitching

Windows and Microsoft died a few years ago. The general public are buying tablets using Android or iOS as an operating system

The sky is falling... or maybe not.

[westlake]

I am buying hardware in wholesale lots for internal corporate use.
Hardware the users will never own or be permitted to modify without approval from above.
Tell me why I don't want secure boot and an OS signed by Microsoft or one of the mainstream Linux distributions.

I am a retailer in the general consumer market where bare bones or dual boot has never sold worth spitt.
Tell me why I don't want a known-good OEM system install with an OS signed and badged by Microsoft or one of the mainstream Linux distributions.

The geek has piggy-backed on cheap OEM hardware built for the MSDOS and Windows ecosystem since 1981 --- and when Microsoft makes a decisive move, as it has with Win 10, the geek has to move with it.
Future motherboards will support secure boot. The mainstream Linux distributions will support secure boot --- ultimately, with a licensed key and not a hack-around.

Re:The sky is falling... or maybe not.

[Lumpy]

Because you will not be able to install your system wide Windows 7 image on it. If you ACTUALLY did IT for a corporation you would have already knew this. No corporation is going to run windows 10 for at least 3 years.

Re:The sky is falling... or maybe not.

[phantomfive]

Tell me why I don't want secure boot and an OS signed by Microsoft or one of the mainstream Linux distributions.

If you can't see why "only approved operating systems allowed" is a bad thing, then you're probably not on the right site, but much has been written on that topic. If the logic of all that has been written doesn't sway you, then there is nothing left but to call you a corporate whore.

Re:The sky is falling... or maybe not.

... not a hack-around.

Ha! Every mass produced DRM technology for video has been hacked. Secure boot will be no different.

Re:The sky is falling... or maybe not.

> I am a retailer in the general consumer market where bare bones or dual boot has never sold worth spitt.

If you do computer service, you'll be harmed by this. Some of the best computer restoration methods are hobby projects that will *never* have the resources to purchase a signed Secure Boot key.

Secure Boot is a really good thing. When properly implemented [0] It stops a whole class of really nasty attacks. Taking away the Secure Boot disable switch from end users (and, as MSFT will inevitably try to do, removing end-user key enrollment) is a step much too far.

> [W]hen Microsoft makes a decisive move, as it has with Win 10, the geek has to move with it.

Ha! History is littered with the shells of ignored decisive moves that came out of Redmond.

> ...cheap OEM hardware built for the MSDOS and Windows ecosystem...

Yeah. There's your mistake. That hardware was general purpose computing hardware. MSFT didn't subsidize the construction of said hardware. That hardware wasn't built for the "MSFT ecosystem"; it was built to run computer programs, of which MSDOS and Windows are two out of millions.

It *is* MSFT's wet dream to make every computer a Windows-only computer. There's too much value in general purpose computers for too large a segment (in terms of dollars spent) of the market for this to actually happen.

[0] http://mjg59.dreamwidth.org/#entry-30773 (This guy is a *really* good resource for Secure Boot, UEFI, and ACPI information and issues.)

Re:The sky is falling... or maybe not.

[westlake]

No corporation is going to run windows 10 for at least 3 years.

That is true --- but it is only a stay of execution.

Re:The sky is falling... or maybe not.

[Voyager529]

Tell me why I don't want secure boot and an OS signed by Microsoft or one of the mainstream Linux distributions.

Acronis True Image/Clonezilla/Ghost/Veeam.
Hiren's Boot CD/Active@ Boot CD/UBCD4Win.
GPartEd/PartEd Magic.
FreeNAS/Nas4Free/OpenFiler/UnRAID.
Endian/Smoothwall/Untangle/IPFire.
FreePBX/PiaF/Trixbox.
Univention/Zentyal/ClearOS.

Sure, desktops for office use will never have a problem. However, the inability to use desktop hardware for any number of other dedicated services is most decisively a bad thing, and the inability to boot into some form of a recovery environment is even worse.

If you're buying the desktops for internal corporate use, leave secure boot on and password the BIOS, everyone's happy.

Re:The sky is falling... or maybe not.

Tell me why I don't want secure boot and an OS signed by Microsoft or one of the mainstream Linux distributions.

If you can't see why "only approved operating systems allowed" is a bad thing, then you're probably not on the right site, but much has been written on that topic. If the logic of all that has been written doesn't sway you, then there is nothing left but to call you a corporate whore.

It's Microsoft's hardware specification and it always has been; they get to write it however they wish. (Libertarian enough for ya?) Alternative operating systems have just been getting a free ride. Yep, Linux on the desktop has been dancing to Microsoft's tune in a very fundamental way all along.

Now that there is a legitimate reason to for that free ride to end (and reducing malware dramatically is a pretty damned compelling reason), tough luck. Give us one good reason anyone outside Microsoft gets a say in Microsoft's hardware specification without being an equally good reason Microsoft gets a say in Red Hat or Canonical's specification. (First one to yelp "b-but anti-trust!" gets a contemptuous laugh and a pointed reminder on what the requirements for making that charge stick actually are.)

The players in the Linux ecosystem need to come up with their own hardware standard and persuade OEMs to follow it. Time to stand on your own two feet, boys and girls.

Re:The sky is falling... or maybe not.

"The geek has piggy-backed on cheap OEM hardware built for the MSDOS and Windows ecosystem since 1981 --- and when Microsoft makes a decisive move, as it has with Win 10, the geek has to move with it."

You are fucking kidding me.

Where did this idea come from?

Re:I dub all unswitchable hardware: disposable

What do you care what kind of hardware the "vast majority of PC buyers" who don't care about this feature use?

I'd never buy one but I'd want my mom to have one. Because I want it to run Windows forever AND I don't want any possibility of her being tricked into disabling it by a fake Microsoft support call from overseas or some other exploit, rendering the computer broken.

I think the main issue with this will be labeling - the OEMs won't bother to label their products as disable-able or not, and we'll all have to sort it out for ourselves, which puts a tremendous burden on the part of the buying community that does care.

Solution: Overwhelm customer support with inquiries regarding this setting for every piece of hardware that is undocumented.

Even worse than you think

I just purchased four Dells with Windows 8.1 from NewEgg along with 8.1 Professional for each to use in a business. I swapped out the HDDs for SSDs and installed using OEM licensed, legitimate 8.1 Pro media. None of them will run Professional, instead defaulting to fully registered 8.1 Basic.

They wont accept the Windows Product keys at all. Instead, they show completely different keys that must have been installed into the hardware. This occurs whether secure boot is turned on or off. I have a case number with MS to resolve this BS.

I also bulit a PC from parts and installed using a fifth copy of 8.1 Pro. It installed correctly and jumped right onto the domain. This is not about "copyright infringement". It is about control and squeezing customers for as much money as they can get.

Re:Even worse than you think

[NJRoadfan]

Sounds like the Windows install media is picking up the OEM key in the BIOS instead of prompting you for a key. Best way around this is to create a Windows 8.1 USB stick and setup an ei.cfg file to force the Pro version to install. https://technet.microsoft.com/...

Re:Even worse than you think

[mrchaotica]

Why the fuck should there be a goddamn OS license key in the BIOS to begin with?!!

Re:Even worse than you think

[NJRoadfan]

Because the earlier OEM pre-activation system (SLIC 2.1) was easily cracked by modifying the BIOS.

Re:Even worse than you think

[riondluz]

Thank-you for reminding me why i choose not
to talk about computers to anyone who (personally) uses Microsoft products

Re:I dub all unswitchable hardware: disposable

[ikhider]

The masses don't know and don't care. Maybe Slashdotters do, but we are going against the tide of lemmings stampeding for the cliff. Maybe we need two 'puters now. One 'puter where we do stuff for the man another for everything else.

Re:I can't wait for the Linus Torvalds rant over t

[ikhider]

Uhhh, last I checked, Linus has no problems with secureboot. https://www.youtube.com/watch?...

Re:I can't wait for the Linus Torvalds rant over t

From my experience people that make 6 figures or higher are pretty much drooling morons in regards to pc's and Operating systems.

What about laptops?

[tech10171968]

This is the precise reason my next laptop is probably going to be ordered from someone like System76 or Zareason. I shouldn't have to do this silly UEFI dance with offerings from major "Big-Box" OEM's just to install my choice of OS on what is supposed to be MY system. So why not avoid all the BS and buy a portable from a manufacturer which actually specializes in building Linux machines?

Steam Machines

[dottrap]

Go buy a Steam Machine. There are already 15 vendors lined up to sell them. These OEMs are betting people are tired of this typical Microsoft BS. Prove them right and buy their machines and support their effort.

Thinkpenguin, System76, Lemote...

[ikhider]

Are there any more companies that offer GNU/Linux out of box on lappies? Somehow, I do not trust the Dell's and HP's of this world.... What about desktops? Do you have to have Windows by default too when you buy a new motherboard? Anyone?

Re:Thinkpenguin, System76, Lemote...

https://puri.sm/
https://system76.com/
https://zareason.com/

Re:Thinkpenguin, System76, Lemote...

Where I live. most (if not all) companies sell laptops preloaded with FreeDos - HP, Lenovo, Asus etc. I suppose a laptop that can run FreeDos will be able to run any kind of Linux, right?

Re:Thinkpenguin, System76, Lemote...

ZaReason because they support many different distros.

Meanwhile

[robmv]

Meanwhile Microsoft uses and distributes a preview version of Windows Phone 10 for an Android device with an unlockable bootlader. Ironic, when an underdog Microsoft use all openness available, when not, squeeze any freedom so people get locked to them. The same Microsoft of all times.

Re:I dub all unswitchable hardware: disposable

[senatorpjt]

Thanks, I'll have to stop having Amazon donate money to FSF every time I buy something there... BTW, how old is that? It looks like it was when Amazon mostly sold books.

Re:I can't wait for the Linus Torvalds rant over t

[Dutch+Gun]

Most likely because Microsoft will give them an additional discount. It is how MS controls the OEMs - do it this way or lose $5 discount on every one of the million PCs you will make this year. It worked for Netbooks.

I would think that doing this would open themselves up for another anti-trust lawsuit. Seriously, the 99% dominant player is paying OEMs to lock out the 1% player, the only real alternative for PCs? Both they and Google have gotten into anti-trust trouble for a hell of a lot less.

Doing what you suggested seems incredibly risky just to quash their "competition" which has never measured more than a statistical margin of error, and in a computer demographic of lessening importance, no less. However evil people may think MS is, I just don't think they'd be that stupid.

Who knows... maybe I'm overestimating them.

Re:I dub all unswitchable hardware: disposable

No need for even that. Just tell people that there's no way of knowing whether systems that don't have secure boot have a malware hypervisor, and convince some big banks to give people some kind of brownie points for accessing their website or app or whatever from a secure boot computer.

Re:I dub all unswitchable hardware: disposable

[Prune]

until the secure boot controversy was diffused

Diffused through what? Or are you struggling with basic grammar?

Secure boot

Poettering, save us!!

Will OEMs pay less for Windows if they lock it?

[HalAtWork]

I hope they don't get a price break for locking it.

Re:I dub all unswitchable hardware: disposable

[Larryish]

Fuck.

This whole think is made of fail.

Re:I can't wait for the Linus Torvalds rant over t

Ya, I recently installed CentOS 7. Worked and installed fne using the factory keys, but vmware refused to launch since it needs to hook into the kernel, and I was unable to do anything about it

Re:I dub all unswitchable hardware: disposable

[hamsterz1]

You can't "define" away the truth. It is not a conspiracy theory to say MS violated anti-trust laws in the past, nor has MS learned from their past failures, in and out of court. My only hope is that more, and more people will become DIY system builders, and build their own computers, and become empowerd with the right knowledge of PC's and all the choices we STILL have !.

Re:I dub all unswitchable hardware: disposable

[Microlith]

The next gambit in secure boot is to disallow the user putting in their own signing keys.

This is that gambit. If you cannot turn secure boot off, you cannot alter the keys.

Re:I dub all unswitchable hardware: disposable

The problem is when big monied interests are successful at ridding the market of hardware that fits your needs in exchange for that which fits theirs. You know as well as I do that the general public won't consider this even a minor issue, never mind a deal-breaker when it comes to new hardware purchases.

By the time the public sees any problem with the amount of control that's been pulled away from them, it'll be far too late to do anything except start from scratch.

Re:I dub all unswitchable hardware: disposable

[xeoron]

Add these to your list: System 76, Intel NUC, Dell (at least, the systems that you can order Linux preloaded on them), and mobo manufactures that sell to consumer system builders.

Can't happen

[0123456]

When we pointed this out years ago, the Microsoft trolls told us to stop being silly, because it was optional and Microsoft would never, ever think of changing that. Why, the very idea!

Re:Can't happen

Secure Boot isn't a MSFT standard. It's part of UEFI 2.2. UEFI's precursor was originally developed by Intel. UEFI is now managed by a large number of computer corporations: http://en.wikipedia.org/wiki/Unified_EFI_Forum .

Troll better.

Re:Can't happen

We have altered our agreement, pray we do not alter it any more!

Re:Can't happen

[Rich0]

When we pointed this out years ago, the Microsoft trolls told us to stop being silly, because it was optional and Microsoft would never, ever think of changing that. Why, the very idea!

I'm a fan of UEFI. I don't use any PCs with UEFI that run Windows. Being a fan of UEFI doesn't make you a Microsoft troll.

I'm a fan of RSA too, even though it is used to enable all kinds of lousy anti-consumer nonsense.

The problem isn't UEFI. The problem is vendors who lock down the keys or don't give users a way to turn it off. I'd actually go a step further and ban pre-loading computers with keys at all - just let the user generate their own, and make all the OS/firmware/whatever vendors come up with easy ways to let users install their OSes and firmware updates and all that while still having keys that only the user can sign with.

Re:Can't happen

No, we told you "Microsoft hardware standards were written for running Windows. You freetards want to leech off it as a pseudo-standard for Linux too, fine but don't bitch if something changes that breaks things. Microsoft doesn't owe you squat."

Secure Boot isn't a MSFT standard. It's part of UEFI 2.2. UEFI's precursor was originally developed by Intel. UEFI is now managed by a large number of computer corporations: http://en.wikipedia.org/wiki/Unified_EFI_Forum .

Troll better.

Microsoft's hardware standards is a big fat document that OEMs get that describes the features required for a system to boot Windows. It happens to require UEFI 2.2.

As you have successfully demonstrated, /.ers knows nothing about the PC OEM ecosystem actually works.

Buy from OEMs with no legs to break

[tepples]

This is "optional" for OEMs in the same way as they have the option to have MS break their legs or not.

Solution: Buy from OEMs with no legs to break, like Arkadians, Terra-Fermians, Weebles, Bile Demons, or maybe Mr. Wobblyman.

Re:I can't wait for the Linus Torvalds rant over t

[DigiShaman]

Why would an OEM do this? Perhaps to get a discount when setting PCs with a copy of Windows 10 pre-loaded. When talking about desktop hardware, I seriously doubt Linux is the target; if it was, they should be going after server grade hardware, No, I suspect this about locking the Steam gaming platform out of the market.

Re:I dub all unswitchable hardware: disposable

[khellendros1984]

What do you care what kind of hardware the "vast majority of PC buyers" who don't care about this feature use?

Because hardware manufacturers are going to go after the largest part of the market possible, not cater to the fussy long tail of malcontents that need uncommon features like the ability to load their own OS. We've finally gotten to the point where I don't need to be incredibly picky over the hardware that I buy to ensure that it'll run Linux acceptably. I don't want to have to research through user forums for anecdotal evidence that some particular piece of hardware was mislabeled as not being locked down, and I don't really want hardware that I might have to break the warranty on to do something that I do with all of my hardware as a matter of course (shrink the Windows partition and throw Linux on the sucker). That is why I care about what the unconcerned masses are running.

Solution: Overwhelm customer support with inquiries regarding this setting for every piece of hardware that is undocumented.

As a last resort? OK, if it's the only way to get the hardware that I need. As a first choice of solution? I'd rather not.

Re:I dub all unswitchable hardware: disposable

[complete+loony]

Yeah, yeah. The sky is falling.... Except that it isn't. With signed bootloaders like shim, you can install or run any operating system yourself without changing the BIOS to disable Secure Boot at all.

Not being able to run a 3rd party OS was a concern with Windows 8. But the open source community have solved that problem. So being able to disable Secure Boot is no longer required.

What compact laptop running multi-window Linux?

[tepples]

So why not avoid all the BS and buy a portable from a manufacturer which actually specializes in building Linux machines?

So who makes an affordable laptop PC that runs multi-window Linux? Stock Android isn't multi-window, as Android's CDD relies on a window management policy of all maximized all the time. And last time I checked, companies you mentioned charge an Apple premium and lack a variety of sizes. System76 doesn't have anything smaller than 14 inches, and even ZaReason doesn't have a 10 or 11 inch model. This makes Linux look big and clunky.

Fear not

[tepples]

if you want a laptop, I'm afraid your options in the assemble-your-own department are somewhat lacking

There's no need to fear; MSI is here.

Re:I dub all unswitchable hardware: disposable

> mislabeled as not being locked down

Return defective. File chargeback if necessary.

Re:I can't wait for the Linus Torvalds rant over t

[TechCurmudgeon]

It's about choice and future repairability. I bought the machine so I OWN IT. I don't want anyone making decisions what I can and cannot do with it. Maybe someone will get tired of their Windows PC constantly getting toolbars, adware, and other unwanted software installed and want to try an alternative. I work with seniors who have these problems all the time and are very frustrated by Windows. Why are people so willing to give up the right to change and fix things they bought and own to some mega-corporation? I'm glad I'm an old fart because I won't be around when everyone turns into sheeple.

Linux does offer it (at least some distros)

[Chirs]

Redhat Enterprise Linux 7 and reasonably recent versions of SUSE have cryptographically signed kernel and drivers that work similarly to Windows.

this is Microsoft

[Chirs]

The expectation is that they will offer some incentives to hardware manufacturers to get them to remove the off switch.

sounds like broken software, not broken UEFI

[Chirs]

This is less a flaw in UEFI, and more a flaw in the process for updating the graphics drivers.

Re:sounds like broken software, not broken UEFI

[msobkow]

Well, it's a consistent flaw with Windows 7 on this Lenovo box. I've repeatedly had to disable UEFI for driver updates; the graphics driver was just the first one I discovered the workaround for. What is surprising is that the reported error isn't listed in the Microsoft online error database with the suggested workaround of disabling UEFI while installing the driver.

What's the problem?

You fuckloads are always talking about how great Linux is because it runs on your 900 watt Pentium 60 just fine. Keep doing that.

there is, for now

[Chirs]

The issue is that as of Windows 10 certified hardware that ability will be *optional*. (And the concern is that Microsoft may offer some incentives for hardware vendors to remove the ability.)

not a bad thing if you control the keys

[Chirs]

As long as you get final say over who approves the software, then UEFI secure boot is great.

The issue is that Microsoft will be in control of what software is approved.

For now all x86 hardware still has the ability for you to disable secure boot and to load your own keys. What's changing is that this will be optional. Once that ability is removed, then that hardware will only boot software signed by Microsoft.

Re:I dub all unswitchable hardware: disposable

[DocHoncho]

Freedom is, in all aspects, "pining for the fjords." With regards to the manufactures of gadgets, it isn't in their interest to allow even the slightest bit of freedom. You can't install your own OS on the device you paid for, you can't install software that wasn't blessed by the prevailing curator of the local app store. We're moving towards a society in which you (as a consumer) don't own anything, it's leased or rented or provided "gratis", so long as you remain in accordance with whatever contractual terms they wish to impose. And before the Desktop centric crowd chimes in with "I own my box!", sure, you do now. But the current business practice is to retain ownership of everything and dole out access with as many restrictions as possible. It isn't that big of a leap to presume that sometime in the future you'll only be renting your motherboard, and may even have to pay extra to enable more memory access or "Premium CPU interconnects". Hell, you might be already! Have you read through the entirety of the terms of use provided with every component present in your machine? Do you really think Intel has your best interest at heart? These corporate scumbags can stuff end user agreements with whatever they want, knowing full well that practically no one is either going to read it, or have the financial means to fight it out in court.

Once the BIOS is locked down, why wouldn't manufacturers require extra payments for increased CPU throughput or maximum available RAM? Sure, your new mobo comes with slots for 64 GB, but it's only licensed for 16GB, any more requires an extra payment. These components are getting so sophisticated that bits and pieces of what used to be considered standard functionality, parts which were once hardwired, will be doled out as premium add-ons and DLC-like upgrades. There's nothing stopping them, it's only a matter of time before each and every aspect of the computing environment is held ransom by one company or another.

Re:I dub all unswitchable hardware: disposable

[DocHoncho]

Much better than their bank account getting siphoned.

Unless, of course, it's OEM's doing the siphoning. Surely they don't want cyber-criminals to get an edge on a protection racket they could themselves get evolved in. Let's charge premiums for CPU clock speed, maximum install-able RAM, etc. The possibilities are endless, and if the existing tablet/phone manufacturers are any indication, PC makers are lagging behind the extreme monetizing techniques available to a modern day PC maker.

Re:I dub all unswitchable hardware: disposable

Pressure? No. "Discount", yes.

And considering the amount of shitware that was on my last desktop I didn't build myself (Acer, circa 2007), manufacturers apparently don't care about consumer opinion since that thing ran slower than 486 molasses brand new out of the box.

In a few years, the irony may be that Apple is the most open of major PC makers.

Student could BYO, use VM, use a pi, etc.

[perpenso]

What if some brilliant young programmer out there decides he wants to try his/her hand at creating his own OS? They'll never make it past the boot stage unless they puts their efforts into hacking the secure boot out of the system, which might put them off the idea entirely.

BYO open options will still exist. Various motherboard vendors already cater to the BYO crowd. Plus that young student could run Linux in a VM on the locked down Windows box. Or they could hack around on some non-PC device like a Raspberry Pi. Many options exist.

corporate death penalty

corporations are a government fiction. dissolve microsoft. maybe break it up into small companies for each product. execute all the executives and start over.

Re:I dub all unswitchable hardware: disposable

Actually, I will simply blacklist any company - and all their subsidiaries/parent companies - from my supplier index if they ship with secure boot locked. I've already ditched Dell (design for maintenance issues), Lenovo (Spyware), and Sony (spyware/root-kit)... and paid the salaries for a couple more employees by working with manufacturers willing supply hardware to my specs.

The impact on Dell, Lenovo, and Sony has probably been unnoticed by their accountants. But I don't care. It's the principle of the thing. My IT's have enough nightmares to deal with, and I'd rather they deal with what is important.

Get enough people refusing to buy crap hardware, and the problem will go away.

Re:Secure boot

he'll require the bios to run systemd next.

Re:I can't wait for the Linus Torvalds rant over t

I currently make 6 figures in a support job

WTF?! I suppose you ride a unicorn to work too?

If true, that is seriously fucked up.

It already is more restricted...

Actually, in case no-one else noticed, Microsoft already requires the secure boot to be WAY more restrictive than described here - in some cases.

When you buy a new computer with Windows 8, it's likely that Microsoft already REQUIRED the manufacturer to make it impossible to disable Secure Boot (or in general, install any other OS), it's right there in the "System requirements":

"[On an ARM system,] it is forbidden to enable Custom Mode. Only Standard Mode may be enabled."

(source: https://msdn.microsoft.com/en-us/library/windows/hardware/jj128256 )

Custom basically means "user can install any operating system" (also explained elsewhere in the document)

Secure Boot? NSA Broke That Already

Nothing that can't be defeated.

Let's hear from some libertarians

[dbIII]

Some people would say this is anti-competitive behaviour from MS and that the consumer affairs machinery (ie. "big government") should kick into action but so far they have not.
Let's hear from some libertarians - this is a prime example of a company doing whatever they want to remove all other choice in a market and there is no interference to them doing that. It sounds like a libertarian's wet dream to an outsider to me, but is it? What do they really think of the biggest player reducing all the options for everyone else?
I'm hoping for an honest answer with some actual wisdom behind it instead of insults from the naive that never considered the implications of their "philosophy".

Re:I dub all unswitchable hardware: disposable

[davester666]

Why would this reimaging fail? Window 7 should be able to play nice with UEFI Secure Boot [not that it affects me].

Re:I can't wait for the Linus Torvalds rant over t

[200_success]

Linus Torvalds has gone on record saying that Tivoization is OK. I don't see how he can rant against bootloader locking without backtracking on that stance.

Re: I dub all unswitchable hardware: disposable

[Aighearach]

And the average person cares about what Stallman thinks because....???

Because the average person can't think for themselves.

Oh wait, you're right, they also don't care if anybody is thinking.

Perhaps only the above average care.

Re:I dub all unswitchable hardware: disposable

[gl4ss]

I'm pretty certain MS will just make it so that if they make the device windows 10 only then the OEM gets the license for free.

so unlockable will then mean a fee.

Re:I dub all unswitchable hardware: disposable

[marky_boi]

I think that Business machines will be exempted here.
The corporate I work for has their own licencing server and loads their own crappified version of Windoze 7, also all our PC have UEFI disabled and secure boot ... I see big business has the bg stick in that arena.

Lock your computer?

Let's be generous and give Microsoft the benefit of the doubt. Suppose this were some "security" feature (and not just the desperate attempt to cling to their illegal ongoing monopoly that we know it is).

Even then, is this a good idea? Wouldn't someone who wants your data simply take a hammer and smash open the case and rip out the hard drive, ripping off your fingernails till you give them the passwords they need to decrypt your data?

I don't see how that's supposed to be appealing.

KILL SWITCH...

welll....since I AM A PURCHASING MANAGER this MAKES MY JOB EASIER TO say yes TO the techies and BAN HARDWARE. MANUFACTURERS THAN FORCES VENDOR LOCK IN UPON US...so WE WILL CULL ANY MANUFACTURER AND BIDS WHICH TRIES TO FORCE THIS THING ON US....

Re:I dub all unswitchable hardware: disposable

Microsoft is dying ... the last gasp of a dying !!!

Those are 2nd-tier solutions.

[sethstorm]

Various motherboard vendors already cater to the BYO crowd

Portable devices from traditionally locked down platforms don't really have that option. For those that do exist, they're usually built with older/low-end parts.

Plus that young student could run Linux in a VM on the locked down Windows box

That doesn't help when the issue requires direct hardware access.

Or they could hack around on some non-PC device like a Raspberry Pi.

See my first point. The Raspberry Pi is a 2nd-tier device that has still-unresolved USB issues.

Re:Those are 2nd-tier solutions.

[perpenso]

2nd tier solutions for an incredibly rare situation, student OS developer. Seems like a reasonable tradeoff for a 1st tier problem, improving security for nearly all computer users.

Re:Those are 2nd-tier solutions.

Nobody guarantees you getting "1st tier solutions", whatever the hell that means, for cheap.

There will always be x86-64 development boards and embedded systems boards that will be made that will boot whatever you want. Anybody with enough free time to waste to write their own OS obviously is wealthy enough to afford to buy one.

Re:I dub all unswitchable hardware: disposable

Read the OP.

They just play that game differently.

[sethstorm]

Apple doesn't do SecureBoot, they just make their devices a PITA to maintain.

Between pentalobes, glue-fastened glass, components in hard-to-reach locations, and active hostility towards self-maintenance, Apple could claim prior art on the concept of SecureBoot.

Re:They just play that game differently.

[macs4all]

Apple doesn't do SecureBoot, they just make their devices a PITA to maintain.

Between pentalobes, glue-fastened glass, components in hard-to-reach locations, and active hostility towards self-maintenance, Apple could claim prior art on the concept of SecureBoot.

You do realize, of course, that pretty much all of those packaging choices are not done to annoy you; but rather to achieve a design-goal, usually thinness.

And besides, on the laptops to which you are obviously referring, Apple rightly has determined that a vanishingly-small percentage of customers actually engage in DIY component-level service of their laptops.

And if you take a peek inside of "thin" laptops from other manufacturers, you will find they use the same manufacturing techniques, such as glued display assemblies. And laptops have ALWAYS put components where they fit; not where they will be the most serviceable. Get over it.

As for Pentalobe (SIPR) screws, you just have to buy a cheap hand tool, available from dozens of sources, such as Amazon. Big whoop. At one time, Torx screws were "exotic", too. And Apple isn't the only company that uses these fasteners; not by a long shot. If you were a real technician, you'd know that.

Re:I can't wait for the Linus Torvalds rant over t

[nukenerd]

What Microsoft want is to prevent someone with such a system from trying out Linux, perhaps with a live CD, and liking it.

Oh yeah, sure. Because of the MASSIVE increase in Desktop Linux market share?

Where and how did "MASSIVE increase in Desktop Linux market share" come in to this? I never said anything about it, and never forsee such a thing happening either. WTF has it got to do with this topic?

More to the point, Microsoft are fanatical about trying to stop even a handful of people from using anything but Windows. Microsoft rate them as criminals, and are like some fat Roman emperor hearing that some people at the edge of the World are not sacrificing half their cattle and virgins twice a day in homage to him, and sending a legion there to exterminate them. Every user is "important" to Microsoft, no matter how few.

Not far enough.

[sethstorm]

When it has more specific component options (read: MXM-based graphics, better displays, and less garish chassis), then it might be realistic to call that "assemble your own".

Re:I can't wait for the Linus Torvalds rant over t

What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes?

We're talking about the same OEMs that sell computers with "broken" ACPI settings such that they don't work on non-Windows OSes... unless you have the OS identify itself as Windows, right? You really need to ask why they would break non-Windows OSes for no apparent benefit? It's hard to tell if their benefit is a bribe from Microsoft or just pure incompetence.

So, that being said... Can anyone explain to me why Microsoft can use the Secure Boot feature but Linux can't offer the same as an "out of the box" experience? Or why Windows can apparently be patched and continue to work, while Linux somehow can't? Is this true for Linux in general, or just for people who modify and compile their own kernel (which I'm guessing probably isn't that many)?

Supporting Secure Boot isn't a problem. Linux does. Or rather, the major distros do, since it's bootloader-level support that matters, not kernel-level. The problem is the signing keys. Microsoft holds the (de facto?) default signing key for Secure Boot. To boot Linux with Secure Boot you have two options: (1) get Microsoft to sign your bootloader or (2) get the computer to accept additional keys other than just Microsoft's (or (3) disable Secure Boot). This article is about getting rid of options (2)/(3), leaving Microsoft in control of what OSes your computer can boot.

It's a political issue of what keys are trusted, not a technical issue.

Re:I dub all unswitchable hardware: disposable

[Geeky]

That's the mainframe model. You pay for the CPU you use - measured in MIPs if I recall correctly. The machine might be capable of x MIPs but you can't use them all because you haven't paid for them. It's like buying a quad core machine but only being able to use one core unless you pay to unlock the others.

Application CPU bound? Pay more to be able to access the CPU power in the hardware you already own. And then be prepared to pay all the software vendors more because you're now running it on a more powerful machine...

So it's nothing new, it's been the standard operating model in that world forever.

DIP switch

Should have a physical switch (DIP switch?) for enable/disable. Then no hack (some phone phisher might) could get around it, but anyone who wants to install any other OS can go right ahead and do it.

Re:DIP switch

[messymerry]

Good idea, but I prefer jumpers...

Re:I dub all unswitchable hardware: disposable

[X0563511]

Some of newegg's return policies are garbage.

I Miss PJ of Groklaw

Please come back to us.
Even the veil of unfettered righteousness is better than the vacuum of its omission.

The OS war, episode 3

[wethehwer]

1. Company A launch devices where the hardware is only allowed to boot their own OS, which can only execute software developed by developers who pays company A, this is implemented using cryptos in different ways. Bugs are found but the latest version is in general 100% locked down.

2. Company B, that has monopoly on the desktop OS market, gets an idea.

3. ?

4. PROFIT.

Re:The OS war, episode 3

[david_thornley]

You do realize that Macs can run multiple operating systems, I hope, and I rather think Apple didn't invent the locked model for the iPhone.

Samsung will love this!

[iamacat]

Get ready for a 12 inch plastic Windows tablet with TouchWiz shell, 3 Web browsers, 2 app stores, 50 unremovable pre-installed apps and 1.2gb free space in base model. Great move by Microsoft to let OEMs add value that users can not unwisely remove!

Re:I dub all unswitchable hardware: disposable

[lsatenstein]

That's a descriptive word I know gsm phone manufacturers work hard to distance themselves from, even more where it's more true.

I was nice of Microsoft to play along until the secure boot controversy was diffused and then stop backing openess. I'm not sure RMS would be completely surprised.

Seriously though, we have the choice, and the only thing that will maintain that freedom is that we express it with our dollars. Manufacturers are at OUR mercy, not the other way around.

If you can't get to the boot menu when you play with it in the store, don't buy it. Amazon will let you return nearly anything. This is a freedom we can defend.

I would have the US Government block sales of all computer systems in which secure boot could not be disabled. If I want to run XP as a control program for my cash register, I certainly need to bypass secure boot. Ditto if I want to run a Linux OS which does not support secure boot.
Do I need to take a RedHat or Debian based distribution, perform a minimal install and replace the guts with the other OS? Let Ubuntu or Fedora bypass the UEFI security, and let me do what I want with my hardware. I had to purchase, not lease the hardware.

Re: I dub all unswitchable hardware: disposable

Moron.

Re-imaged laptops

Question. For corporate clients that re-image new desktops or laptops. What if they wanted to put their own Win 7 image on? Would it still work?

Re:I dub all unswitchable hardware: disposable

[mysidia]

As for a compromised OS bricking the system? Well, that's probably actually a good thing for most people. Much better than their bank account getting siphoned.

Secureboot is not and never was a hinderance to the bad guys. Once malicious code is run; secureboot can be defeated. It's security theatre.

Re:I dub all unswitchable hardware: disposable

[mysidia]

They can keep their big business buyers happy by distributing an exclusive 500k file under Non-Disclosure Agreement they will run pre-imaging to unlock their BIOS for the desired OS.

I'm not sure there will be a "Linus Torvalds rant"

[donak]

Like you I've installed Windows 10 technical preview on a laptop ... and then gone on to install Xubuntu alongside it.
It worked, with the added bonus that Win 10 actually fixed the borked Win 8 OEM installation in the first place.
I didn't know what the problem was with Win 8, I spent a little time trying to fix it, then went and bought my wife another cheap laptop.
I've been tinkering with PCs / Laptops for years, but I'm at the opposite end of the scale, a rank amateur.
I was as concerned and upset by the concept of being blocked from installing Linux as anyone here : I've dual booted every new PC / Laptop I've bought in the last 5 or 6 years.

The way to install Xubuntu was to get into Win 10 PC Settings / Update and Recovery / Advanced Startup / Use a device, and boot a USB device (in this case a USB DVD).
These settings still exist, even in Build 9926, the latest I have downloaded. (Notifications / All Settings / Update and ... )
I don't know if this is the "shim" I've seen others here refer to, but it appears Grub takes over and is the first to boot. One of the options in it is to start the Windows boot loader.
So, even if it is mandatory, is it that big an issue? I understand many O/Ss don't have a PK, but someone has already suggested using something like a Redhat or Ubuntu kernel to get past secure boot.

Total control of the hardware ..

[DougPaulson]

A possible bug in Foxconn boards BIOS affects Linux ACPI

Windows Update drivers bricking USB serial chips

One thing I find myself wondering about is whether we shouldn’t try and make the "ACPI" extensions somehow Windows specific.

Re:I dub all unswitchable hardware: disposable

[mrchaotica]

Actually, I will simply blacklist any company...

You will end up having to blacklist every company, giving up technology entirely, and going to live in a hut on a mountain.

Re:I can't wait for the Linus Torvalds rant over t

[mrchaotica]

Once a user learns enough about Linux to want to install it...

Oh, and how did they do that? By using a Live CD. And what do you call a Live CD in a world with mandatory Secure Boot? A goddamn coaster, that's what!

Re:I can't wait for the Linus Torvalds rant over t

[mrchaotica]

What's in it for the OEM to do this?

I'll give you a hint: it's green, rectangular, and under the table.

Regarding PCs though, I can think of nothing that would generate a new anti-trust lawsuit faster than this. MS had better walk damn carefully here if they do ANYTHING that could be perceived as unfairly locking Linux and other OSes from PC hardware.

Even with Republicans having a majority in both houses of Congress?

So, that being said... Can anyone explain to me why Microsoft can use the Secure Boot feature but Linux can't offer the same as an "out of the box" experience?

Because the entire point of Free Software is that every individual user could be customizing his kernel and thus needing his own personal key.

Re:I can't wait for the Linus Torvalds rant over t

[mrchaotica]

Would suck for kernel devs but would probably work just fine for most Linux users. Linux is not doomed.

Every user is potentially a kernel dev, which is the entire point of Free Software!

Re:I dub all unswitchable hardware: disposable

That fat hippie died?!

Re:I can't wait for the Linus Torvalds rant over t

[perpenso]

Would suck for kernel devs but would probably work just fine for most Linux users. Linux is not doomed.

Every user is potentially a kernel dev, ...

In exactly the same way that Bill Maher is potentially a future pope.

...which is the entire point of Free Software!

Its not the mission of major PC vendors to promote FOSS, it is possibly their mission to supply consumers with more secure PCs.

If a person aspires to be a kernel dev they can build their own PC, use a non-PC like a Raspberry Pi, run Linux in a VM, etc.

Re:I can't wait for the Linus Torvalds rant over t

[nctritech]

Don't forget that OEMs now sell lots of computers with no CSM boot option and only ACPI 5.0 tables which Windows 7 and below can't read and crash on boot claiming that the computer isn't ACPI-compliant. Even if you try to boot Windows 7 via UEFI, the ACPI 5.0 tables will block it completely, so such machines are forcibly Windows 8 or higher with no option to downgrade available.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Chromebook?

Are Google Chromebooks our salvation out of this situation? On both my ASUS Chromebox and Acer C720P Chromebook, it has been possible to set up a 'dual boot' system i.e. legacy "SeaBIOS" stuff. If this is a solution, and Google continues to exert influence over Chrome-device manufacturers, and sufficient specs/price/features/models are made available to satisfy non-Windows users...?

People are missing the Point

Remember, the future is about mobile. This is about phone and tablet manufacturers being able to market their devices as designed for Windows 10. For better or worse very few people care that phones and tablets are locked down. If you are serious about challenging that, you should start with Apple, not Microsoft.

Re:I dub all unswitchable hardware: disposable

[Z00L00K]

I also foresee a new way for malware - intentionally brick the machines for a specific vendor unless they cough up money.

Why Monoplies are (supposed to be) illegal

Not only will you not be able to install an alternate OS (Linux) but you will not be able to backgrade to an earlier version of Windows (Win7) that you already paid for.

Re:I can't wait for the Linus Torvalds rant over t

[mrchaotica]

Would suck for kernel devs but would probably work just fine for most Linux users. Linux is not doomed.

Every user is potentially a kernel dev, ...

In exactly the same way that Bill Maher is potentially a future pope.

No, not in the same way! For the purpose of this conversation, "kernel dev" includes even people who do something as simple as `make menuconfig` or anything else that causes the checksum of the kernel to change.

That's actually a lot of people, including all Gentoo users, VMware users, anybody who needs to enable support for weird hardware, anybody who needs a non-free driver that can't be distributed already compiled in, etc.

MBAs are so predictable

[Phics]

I wonder if this is where Microsoft tries to figure out how to skirt anti-trust issues and incent OEMs into locking their systems.... kick-backs, under the table finagling, etc. The real question is this - if Microsoft is so altruistic and trustworthy, why allow a system to be locked to just one OS in the first place?

time for a choice of OS then?

[dwater]

Up until now, there have been few vendors to choose pre-installed Linux. IMO, the most usual thing is for people wanting to run Linux is to buy it with Windows pre-installed, boot it straight into a Linux install disk, and wipe off Windows - perhaps with the additional step of reclaiming the cost of Windows included with the purchase.

IINM, that won't be possible, so we need a 'none' option on the OS choice list before we buy it, then they don't install anything and just ship it directly to us.

In some ways, that seems a lot simpler, if we can get the likes of Dell, Lenovo/etc to do that. Maybe they will start selling more pre-installed Linux desktops - there have been some, but the choice was limited and there was always the 'wipe Windows' option.

Re:I can't wait for the Linus Torvalds rant over t

[BradleyUffner]

And the site they downloaded that Live CD from will have instructions for turning off Secure Boot, or adding their key to the BIOS.

Re:I can't wait for the Linus Torvalds rant over t

Well that sounds like a great selling
counter-point for the M$ ad-men's buy-in:
"Our boxen are so secure that if you want to
ditch us and try something else your box is a
paperweight"
You're so secure "All your devices belong to us!"

Re:I dub all unswitchable hardware: disposable

Funny, this is how some mainframes worked in the old days.

When you bought more RAM, a guy with a physical key showed up, turned it in the lock, entered an arcane command or two, and your mainframe had more megabytes. Nothing extra was installed.

Re:I can't wait for the Linus Torvalds rant over t

[david_thornley]

And what that means is that nobody who doesn't want Linux anyway will use that Live CD, because they won't want to look through the instructions to find their machine and go through what sounds like an arcane process.

Quackintosh Is Even Worse

Quackintosh is still ruled by a fucking self-appointed moralist who is already dead! Steve Blob's puritanical views still dictate policy from beyond the grave.