OEMs Allowed To Lock Secure Boot In Windows 10 Computers

jones_supa writes: Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.

I can't wait for the Linus Torvalds rant over this

Grabs popcorn.

You can currently cryptographically sign a Linux kernel to secure boot, You can install them alongside, or overwrite the windows signature (keep in mind, these keys are your new keys to the windows os. It's not truly keyless, so I would suggest add them alongside.) but most I.T. guys aren't even smart enough to know how it's done. It's no easy task even for Linux people. I currently make 6 figures in a support job and it was difficult for me. I've attempted it only once and was successful, but it is so not user friendly even to smart tech people. I would go as far as to say that even less than 1% of people will ever do it. The other hassle is, if you ever update your kernel in Linux which happens way more than in Windows, you have to re-sign against the new one and re-add the keys all over again alongside or overwrite.

However, I still have the ability to do it, and that's what's important. Make no mistake. This is a literal and direct attack on Linux. OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off. This is Microsoft's attempt at the final nail in the coffin of Linux.

You also disable UEFI for driver updates

[msobkow]

When I tried to update the graphics drivers for my Lenovo laptop, I got undocumented errors and a rollback. Later, on a whim, I disabled UEFI, and the drivers installed with no problem. I re-enabled UEFI afterwards, and the system still runs fine.

So unless you trust your vendor to deliver absolutely PERFECT drivers that will NEVER need updating, you wouldn't want a system that prevents you from disabling UEFI.