Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Establishing Procurement Policies Regarding Secure Boot?

Posted by timothy on from the but-that's-not-what-the-amendment-originally-meant dept.

New submitter Firx writes: My university department has a tradition of selling its used computers and/or repurposing them with Linux for graduate students and science computer labs. With Windows no longer requiring one be able to disable secure boot, my department is writing up a procurement policy to ensure future machines we buy will still have this feature. Part of the draft motion reads: "Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting." Is there something further we should be including here and what is the best way to explain the need for this policy to colleagues less technically literate?

2 of 104 comments (clear)

  1. Re:Why mention Windows? by Trogre · · Score: 3, Interesting

    Simple. Microsoft Corporation holds the keys to your Secure Boot chain of trust. Or did you manage to get someone else to sign your bootloader?

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  2. Re:Why mention Windows? by ilsaloving · · Score: 5, Interesting

    Are you trying to claim that a manufacturer who DOESN'T get an MS certification is somehow prevented from that option?

    I think you misread the question. The question was about requirements for purchasing products from vendors, not telling vendors what they are and arn't allowed to do. (That's Microsoft's job)

    There's nothing childish about mentioning Microsoft explicitly. They were the ones that championed Secure Boot in the first place, forcing OEMs to implement it for certification. Most major linux vendors have the resources to get their boot keys into the database, but smaller distros probably wouldn't.

    Even then, the database is then stored locally in the UEFI, so if there's a Linux distro that's late to the party, they're still screwed with the current generation of hardware unless a bios update is released.

    Additionally, Windows 8 certification mandated that it must be possible to disable Secure Boot (after significant outcry about possible lock-in). But for Windows 10 certification that requirement has been quietly dropped again, once again raising that concern about lock-in.

    The submitter has stated that their guidelines will require any new hardware to have the ability to disable SecureBoot, certification requirement or not.

    The question is, how do you explain that to people who may not understand the technical nuances.

    The easiest way I can think of, is to make sure the hardware provides the ability to install Windows 7 (Just because Windows 10 licensing permits downgrade rights, it doesn't follow the hardware will let you), which doesn't support SecureBoot. If you can install Windows 7, you can anything else you want.