OEMs Allowed To Lock Secure Boot In Windows 10 Computers 362
jones_supa writes: Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.
I dub all unswitchable hardware: disposable (Score:5, Insightful)
That's a descriptive word I know gsm phone manufacturers work hard to distance themselves from, even more where it's more true.
I was nice of Microsoft to play along until the secure boot controversy was diffused and then stop backing openess. I'm not sure RMS would be completely surprised.
Seriously though, we have the choice, and the only thing that will maintain that freedom is that we express it with our dollars. Manufacturers are at OUR mercy, not the other way around.
If you can't get to the boot menu when you play with it in the store, don't buy it. Amazon will let you return nearly anything. This is a freedom we can defend.
Re:I dub all unswitchable hardware: disposable (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
The vast majority of PC buyers will never want the missing feature, and will be protected from social engineering attacks that would turn it off. As for a compromised OS bricking the system? Well, that's probably actually a good thing for most people. Much better than their bank account getting siphoned.
I think you mean its better for MS and vendor bank accounts, not ours.
Re: (Score:3)
What do you care what kind of hardware the "vast majority of PC buyers" who don't care about this feature use?
Because hardware manufacturers are going to go after the largest part of the market possible, not cater to the fussy long tail of malcontents that need uncommon features like the ability to load their own OS. We've finally gotten to the point where I don't need to be incredibly picky over the hardware that I buy to ensure that it'll run Linux acceptably. I don't want to have to research through user forums for anecdotal evidence that some particular piece of hardware was mislabeled as not being locked down,
Re:I dub all unswitchable hardware: disposable (Score:5, Insightful)
People predicted that this is exactly what would happen with Secure Boot. The initial support would be optional and after a time and the phasing out of older hardware the support would become mandatory. Microsoft moving to a mandatory secure boot would fall right in line with these predictions.
The next gambit in secure boot is to disallow the user putting in their own signing keys. From that point forward the only way to get an OS on a computer is with Microsoft's signature. Secure boot could be a good thing if the user was allowed total control, but microsoft shows their true goal here, which is to take total control of the PC market. Many forget that secure boot was devised at a time when Microsoft was first facing a new Linux OS challenger that they couldn't defeat with their traditional tactics. Many people don't consider this timing to be coincidental.
Re:I dub all unswitchable hardware: disposable (Score:5, Insightful)
If I were an Evil Executive at Microsoft, my next gambit would be to apply some unofficial, off-the-record pressure to the OEMs to make sure they have no means of disabling secure boot. Requiring this outright would be legally risky, could come back to bite them in future antitrust cases, but nothing to stop them from some deniable hints that it might help get a cheaper license deal.
Re:I dub all unswitchable hardware: disposable (Score:5, Informative)
Pressure? Not at all. There'll just be a ... "discount" if you do. This has happened before, and it'll happen again. It's within M$'s nature to rub out its competitors by pressing every advantage; it can't help itself.
Re:I dub all unswitchable hardware: disposable (Score:5, Funny)
No, no, no, you are paranoid and delusional to think that they will keep you from disabling secure boot. Microsoft only cares about your security and safety, and you're a conspiracy theorist if you think otherwise.
OEMs probably open to other OS vendors ... (Score:2)
Re:OEMs probably open to other OS vendors ... (Score:5, Insightful)
This is still the wrong approach. The owner of the hardware should have the right to turn it off if they so choose. It should not be up to Microsoft. And it should not be up to the OEM. And it should not be up to carriers. And it should not be up to the government, either (might as well keep extending out the doom-and-gloom possibilities).
OEM's should listen to their customers and not Microsoft. Locking the bootloader is extremely anti-consumer and anti-competitive. The time to find out your machine is a paperweight should not be after you spent your hard-earned money buying a machine. When this whole fiasco started, there was ZERO transparency from the OEM's. You could not call Dell and ask if machine X had a locked secureboot, because the idiot support and sales people don't know. And it is not listed on the websites, the manuals, or the boxes.
Re: (Score:3)
This is like DRM for hardware, we don't own it but we can use it if the manufacturer gives us permission.
Re: (Score:3)
OEM's should listen to their customers and not Microsoft. Locking the bootloader is extremely anti-consumer and anti-competitive.
What this means for the future of Linux and alternative OSes is unclear at best.
Those who build their own desktops will retain the ability to disable Secure Boot, since Asus or MSI doesn't know what kind of operating system you're going to load on the board. But laptops are a different story. Some laptop vendors will undoubtedly continue to ship a ''Disable'' option on Secure Boot, but vendors like HP and Dell may simply decide that closing the attack vector is more important than user freedom, particularly when the margin on PCs is so low to begin with. When every support call is measured against the handful of dollars an OEM makes on each machine, eliminating the need for such interaction is extremely attractive.
Psychological research has long confirmed the power of default settings --- ship something enabled (or disabled), and the vast majority of users will never change the option. Given that Windows machines were already required to enable Secure Boot by default, where's the security benefit in making the kill switch optional?
As far as we can tell, there isn't one.
Linux's worst-case scenario: Windows 10 makes Secure Boot mandatory, locks out other operating systems [extremetech.com]
For the vendor of a mass-market Linux laptop ---- if there is such a thing --- choosing a signed Linux OS and closing an attack vector common to both Linux and Windows makes perfect sense as well.
It is not anti-consumer and it is not anti-competitive.
OEMs are listening to their mass market customers and what these customers are saying is "Lock it down.. We don't want to tool up and poke around under the
Re: (Score:3)
OEMs are listening to their mass market customers and what these customers are saying is "Lock it down.. We don't want to tool up and poke around under the hood."
Really? I've never heard a single mass market customer demand that they should be able to do less with their PC.
Fortunately, desktop PCs are only really useful for games and a few other specialized uses these days, so I can always buy an ARM next time.
Re: (Score:2)
Secure boot could be a good thing if the user was allowed total control, but microsoft shows their true goal here, which is to take total control of the PC market.
I know of at least one PC hardware OEM [apple.com] who won't likely play that game...
Re:I dub all unswitchable hardware: disposable (Score:5, Insightful)
This is essentially another form of DRM and as you well know that was and is still highly successful and completely crushed all piracy. People still actively seek out products that say "DRM Included" just so they can have the safety and security of knowing that a large corporate is having its own best interests protected at the expense of your product's usability.
Anyone with a marketing background will tell you this is a FANTASTIC idea guaranteed to succeed...if you pay them enough...
But seriously now.
The general livestock will buy the "coolest" and/or "cheapest" option and wont understand what the fuck is going on as per usual. It success or failure will be based on whether this affects the price point of the product (i.e. making it cheaper) or detrimentally effect its "coolness". (like DRM did)
And DRM still exists and are some of the most profitable platforms around. e.g. Steam, Itunes, netflix, etc.
Disposable, and "Not A Personal Computer" (Score:5, Insightful)
There should be a permanent sh!tlist pinned to the top of Slashdot with any vendor that promotes this scheme for "PCs".
Microsoft's long-time disruptive technology shark in the water was that they promoted a platform that was just open enough to let techies (and 3rd party vendors) on a budget customize the systems however they need. This is the essence of a "personal computer", for the MS camp at least. Now MS has jumped their own shark.
Their tepid claims of being FOSS-friendly are being shown as ultimately false. Like Apple, they still won't incorporate open A/V formats into their products and their OSes will tell you an inserted Linux-formatted volume "must be formatted before use". Heaven forbid if I ever give an EXT3 formatted flash drive to an Android user, and they decide someday to look at it with Windows. They are similarly hostile when it comes to Linux multiboot setups. Its wilful negligence that still reigns in Redmond and must be fought with tooth and nail to gain any concession.
And how necessary for security are these firmware-level lockouts?? They are not! Qubes OS employs a scheme that, in combination with a TPM, prevents a computer from being able to reproduce a chosen passphrase if its been tampered-with. No doubt, the MS excuse will be that the consumer or administrator can't be bothered to remember a sentence to verify system integrity.
I suggest rallying around vendors like this: https://www.crowdsupply.com/pu... [crowdsupply.com]
Eventually, we should pressure the market to open up the whole damn stack; We will probably be forced to.
Re: (Score:2)
Re: (Score:3)
Yeah, yeah. The sky is falling.... Except that it isn't. With signed bootloaders like shim [ubuntu.com], you can install or run any operating system yourself without changing the BIOS to disable Secure Boot at all.
Not being able to run a 3rd party OS was a concern with Windows 8. But the open source community have solved that problem. So being able to disable Secure Boot is no longer required.
Re:I dub all unswitchable hardware: disposable (Score:4, Insightful)
Freedom is, in all aspects, "pining for the fjords." With regards to the manufactures of gadgets, it isn't in their interest to allow even the slightest bit of freedom. You can't install your own OS on the device you paid for, you can't install software that wasn't blessed by the prevailing curator of the local app store. We're moving towards a society in which you (as a consumer) don't own anything, it's leased or rented or provided "gratis", so long as you remain in accordance with whatever contractual terms they wish to impose. And before the Desktop centric crowd chimes in with "I own my box!", sure, you do now. But the current business practice is to retain ownership of everything and dole out access with as many restrictions as possible. It isn't that big of a leap to presume that sometime in the future you'll only be renting your motherboard, and may even have to pay extra to enable more memory access or "Premium CPU interconnects". Hell, you might be already! Have you read through the entirety of the terms of use provided with every component present in your machine? Do you really think Intel has your best interest at heart? These corporate scumbags can stuff end user agreements with whatever they want, knowing full well that practically no one is either going to read it, or have the financial means to fight it out in court.
Once the BIOS is locked down, why wouldn't manufacturers require extra payments for increased CPU throughput or maximum available RAM? Sure, your new mobo comes with slots for 64 GB, but it's only licensed for 16GB, any more requires an extra payment. These components are getting so sophisticated that bits and pieces of what used to be considered standard functionality, parts which were once hardwired, will be doled out as premium add-ons and DLC-like upgrades. There's nothing stopping them, it's only a matter of time before each and every aspect of the computing environment is held ransom by one company or another.
Re: (Score:3, Insightful)
However, RMS is smart enough that he would recognize that you have deliberately missed the point.
Re: (Score:3)
Stallman came out against buying stuff at Amazon. I don't think he actually came out against returning them, which is what was said.
If you find yourself in the situation of having bought something from Amazon, received it, and felt less free, I think Stallman might agree that the right to return the item "is a freedom we can defend." Hopefully then you'll buy something somewhere else.
I know it isn't Amazon granting my right to return, it is consumer protection laws.
Re: (Score:2)
Thanks, I'll have to stop having Amazon donate money to FSF every time I buy something there... BTW, how old is that? It looks like it was when Amazon mostly sold books.
Re: (Score:2, Interesting)
It doesn't matter what you buy. If the locked laptop is $10 cheaper than the one where you can install a hippie OS that nobody* uses anyway, then the majority of customers will choose the cheaper device, and manufacturers of more flexible hardware will lose out in the market.
Exactly so.
The end result of this road is mad-expensive hardware for servers at a 500% price premium, and low end locked down hardware for consumers that can't boot "inconvenient" OSs that give the user control of their own computer.
People who say "but servers!" miss the point: the average Joe will get priced out of that market.
After that, it's not long until online gaming requires an "authenticated" system. Then banking and online shopping, because safety.
That's where this road goes. Just wait and watch.
So Red Hat and Ubuntu offer signed binaries (Score:2)
The end result of this road is mad-expensive hardware for servers at a 500% price premium, and low end locked down hardware for consumers that can't boot "inconvenient" OSs ...
So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux uses would be just fine.
Re:So Red Hat and Ubuntu offer signed binaries (Score:5, Insightful)
>"So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux uses would be just fine."
And what about Mageia?
And what about FreeBSD?
And what about FreeDOS?
And what about VMWare VSX?
And what about that hard drive diagnostic disc?
And what about that RAID controller utility?
And what about any number of many dozens of OSes, utilities, and distros?
The "solution" is not to try and get everyone to play by the stupid secureboot "rules" that MS is trying to force on everyone. The solution is to have ALL machines give the owner of the machine the CHOICE to decide if they want secureboot on or off.
Microsoft saying it is "optional" means it absolutely won't be optional when they start putting behind-the-scenes (and probably illegal) pressure on the OEM's to start the lockdown.
The linpocalypse is not upon us (Score:2)
>"So Red Hat and Ubuntu establish relations with consumer hardware vendors and offer factory signed binaries. Linux is not doomed. Linux kernel developers need to be careful about their motherboards but the vast majority of Linux users would be just fine."
And what about Mageia? And what about ...
As I said, the vast majority, not all, Linux users should be fine. The linpocalypse is not upon us. A few would need to be careful about their motherboards.
The "solution" is not to try and get everyone to play by the stupid secureboot "rules" that MS is trying to force on everyone. The solution is to have ALL machines give the owner of the machine the CHOICE to decide if they want secureboot on or off.
No. The "solution" is to give all buyers the option of buying a machine with or without secureboot locked down. There is nothing wrong with a buyer preferring to get a factory locked down box if they so choose.
Microsoft saying it is "optional" means it absolutely won't be optional when they start putting behind-the-scenes (and probably illegal) pressure on the OEM's to start the lockdown.
OEMs have already demonstrated a willingness to cater to the BYO hobbyist crowd. There is no reason to expect that consumer motherboards without a
Re: (Score:2)
This should logically not even be up to Microsoft. They're inserting themselves between the customers and the vendors when not asked to do so. They get away with this because they've maintained their OEM practices that have been ruled anti-competitive by the courts. The US will never do it, but if the EU again got the guts to sue Microsoft it wouldn't make a difference because it would take so long that they'd be onto Windows 18 already, and Microsoft would just claim that they're sorry and they won't do
Re: (Score:3)
And what about any individual user, even one who uses Red Hat or Ubuntu, who has the audacity to actually want to exercise his rights under the GPL and recompile his kernel?
Re: (Score:2)
But this costs the vendors some money, whereas just ignoring those unix people is free.
Re: No. (Score:5, Insightful)
As far as I'm concerned a locked up, drm-encumbered bootloader is dead on arrival.
Re: (Score:2)
That's true. You accept delivery of a computer, insert your favourite distro disc, and it won't boot.
I also build desktops for customers, and I get to decide which mainboard goes in, and which operating system is installed, and it will always be be whatever best meets the customer's needs (and pockets).
Re: (Score:2)
Use the pre-installed Windows 10 as a very slow and cumbersome boot loader?
Microsoft afraid of the YOTLD? (Score:3, Insightful)
Nah, couldn't be.
I don't buy prebuilts but any manufacturer that locks secureboot will no longer be recommended to any of my non-tech-savvy friends.
Re: (Score:3, Informative)
Microsoft afraid of the YOTLD?
Nah, couldn't be.
Maybe in some alternate universe, but certainly not in this one.
I don't buy prebuilts but any manufacturer that locks secureboot will no longer be recommended to any of my non-tech-savvy friends.
So they'll lose what? 2 whole sales out of 10s of millions?
Re: (Score:2)
Re: (Score:2)
Unfortunately most of my friends demand laptops.
I build desktops for the few family members who see the value in them.
Re: (Score:2)
In other words, Microsoft can say whatever the hell they like. Hardware manufactures want money. They don't give two shits whether it comes from Windows or Potato-OS.
Even worse than you think (Score:3, Informative)
I just purchased four Dells with Windows 8.1 from NewEgg along with 8.1 Professional for each to use in a business. I swapped out the HDDs for SSDs and installed using OEM licensed, legitimate 8.1 Pro media. None of them will run Professional, instead defaulting to fully registered 8.1 Basic.
They wont accept the Windows Product keys at all. Instead, they show completely different keys that must have been installed into the hardware. This occurs whether secure boot is turned on or off. I have a case num
Re: (Score:2, Insightful)
That's not necessarily true. Never underestimate the technical ignorance of marketing and sales people and their ability to spin a limitation as a security feature.
I can't wait for the Linus Torvalds rant over this (Score:5, Interesting)
Grabs popcorn.
You can currently cryptographically sign a Linux kernel to secure boot, You can install them alongside, or overwrite the windows signature (keep in mind, these keys are your new keys to the windows os. It's not truly keyless, so I would suggest add them alongside.) but most I.T. guys aren't even smart enough to know how it's done. It's no easy task even for Linux people. I currently make 6 figures in a support job and it was difficult for me. I've attempted it only once and was successful, but it is so not user friendly even to smart tech people. I would go as far as to say that even less than 1% of people will ever do it. The other hassle is, if you ever update your kernel in Linux which happens way more than in Windows, you have to re-sign against the new one and re-add the keys all over again alongside or overwrite.
However, I still have the ability to do it, and that's what's important. Make no mistake. This is a literal and direct attack on Linux. OEM's will not care about the few people who use Linux and will omit this ability essentially killing Linux off. This is Microsoft's attempt at the final nail in the coffin of Linux.
Re: (Score:2)
Quite. This was forseen. This is just another whack of the mallet driving the thin end of the wedge a bit deeper.
First you had to turn off a feature that said "Secure Boot". How many standard users are going to turn that off?
Now there will probably be "considerations" for those who make their hardware less easy to boot Linux on.
"Oh, yes, fewer config options make things more reliable - less to misconfigure, less to go wrong - we prefer that kind of device, gives Windows a good name by being more reliable...
Re: (Score:3, Insightful)
How many standard users are going to turn that off?
How many "standard" users are going to install Linux, or even know what Linux is?
Once a user learns enough about Linux to want to install it they will undoubtedly know how to turn this feature off or install the correct keys.
Re:I can't wait for the Linus Torvalds rant over t (Score:4, Interesting)
Microsoft is now saying that OEM hardware that doesn't allow disabling secure boot would still be "Windows 10 certified". What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes? I have a hard time seeing this happening for PCs. It seems more likely that this is actually intended for smaller-form-factor hardware like phones or tablets, similar to how Apple attempts to lock down the devices they sell. It's hard to say since all versions of the new OS are simply called "Windows 10".
Regarding PCs though, I can think of nothing that would generate a new anti-trust lawsuit faster than this. MS had better walk damn carefully here if they do ANYTHING that could be perceived as unfairly locking Linux and other OSes from PC hardware. Frankly, I think the first OEM to try this is going to generate a shitstorm of controversy the moment an unsuspecting user tries to install Linux in a secondary partition or to replace Windows altogether. While it's good to be aware of this and watch to see how things go, I don't think the sky is falling quite yet.
So, that being said... Can anyone explain to me why Microsoft can use the Secure Boot feature but Linux can't offer the same as an "out of the box" experience? Or why Windows can apparently be patched and continue to work, while Linux somehow can't? Is this true for Linux in general, or just for people who modify and compile their own kernel (which I'm guessing probably isn't that many)?
Re: (Score:2)
What's in it for the OEM to do this? Why would they purposefully lock their customers out of a choice of OSes?
Rightly or wronly, perhaps they fear that their help lines will be tied up with people who have installed Linux (or are trying to) asking for help. Perhaps this happens - I do not know, but can imagine it can in some cases.
Now they will be able to say : "It can't be done, end of story, have a nice day." [Click]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
the server market cares about linux / VMware and dell can't risk having servers that only boot windows.
Sure, but those will be special server boxes sold at a 500% price premium. Because servers.
Average people will be priced out of that market.
Re: (Score:2)
Name one enterprise willing to accept that. Dell won't piss off their customers that badly no matter how much MS offers them. It would become the new Nokia. Which OEM would accept willfully the kiss of death MS would be forcing on them?
Re: (Score:3)
I can imagine a situation where they keep it LOCKED for their "business" customers and unlock for everyone else... IT will love it if they have a better way to lockdown their hardware and prevent somebody doing something stupid (or too clever) and increase their maintainence cost.
and laptops? (Score:5, Insightful)
I don't know about you, but I really don't have time to put together a laptop from components...
Re:and laptops? (Score:4, Interesting)
I do.
http://www.amazon.com/MSI-937-... [amazon.com]
Start there and buy the other parts. anyone semi competent can build one in under an hour. Guarentee MSI bare bones systems will not have secure boot locked and enforced on you.
Re: (Score:2)
Make no mistake. This is a literal and direct attack on Linux.
This isn't about Linux. People who buy a pre-built system from one of the big OEMs have no intention of installing an alternative OS, so this is a non-issue for them.
We nearly all started with a pre-built system. What Microsoft want is to prevent someone with such a system from trying out Linux, perhaps with a live CD, and liking it.
I started with a pre-built (did not have the knowledge back then to try anything else) pe-loaded with Windows, but have built my own ever since running Linux. Microsoft wont stop me now or ever, I am a lost cause to them; but they'd love to stop others following my path. That is what this is about.
No boot? (Score:3, Interesting)
"the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot"
Does that mean that IF malware infects the bootloader, the OS will not boot, BRICKING IT? Seems like an easy way for grandmothers to lose their whole computer with a click of the mouse.
Re:No boot? (Score:5, Funny)
You got it! We had to destroy the laptop in order to save it...
Re: (Score:2)
That could allow someone to run non-Windows on it, so that's right out.
Re: (Score:3)
Presumably that's better than having silent spyware like a key logger, which can cause significant financial harm far in excess just buying a new laptop.
Re:No boot? (Score:4, Insightful)
True - the problem is not the security, the problem is who it's working for.
If this comes to pass, you'll have to beg Microsoft's permission to run any software at all on hardware locked down like this.
First, you had to switch off SecureBoot. This probably discouraged a bunch of users who may have tried Linux out. Who wants to turn off a feature that sounds all... secure.
Now, you'll have to obtain and install special signed binaries. That will be a stumbling block for a few more.
Then eventually, they'll stop signing binaries, and the only operating system that will be bootable will be Windows.
And finally, they'll change the OS not to load anything that isn't signed with an MS key. Only MS approved and certified developers (with valid Visual Studio Cloud accounts!) will be able to produce software for Windows, and sell it through the Windows App Store only.
Re: (Score:2)
If that were the reason, it would be easy to fix:
1. Have firmware sha256sum the EFI loader. Does loader match stored key? If not, do not load it.
2. Include an option in setup for 'I just installed a new OS, update stored key on next boot.'
Re: (Score:2)
Meh.. My PC is worth more than my bank account and I'm not allowed credit. I'll take the spyware over the brick xD
Re: (Score:2)
I guess you'd be able to boot from a recovery USB stick/CD/etc.
Presumably the idea is malware will not be designed to infect such systems. After all being rendered unbootable is a sure way to get your victim PC taken into a repair shop, which then might submit the malware sample they find to AV vendors ...
Re: (Score:3)
Almost. If malware infects the bootloader, the OS will not boot - but that doesn't quite brick it. You can still boot off of removable media, providing the removable media contains a signed loader. This means that if you insert a Windows 8 or 10 installation CD/USBstick, or the manufacturer-supplied recovery disc (Well, the disc they make you burn to save five cents), you can boot off that and reinstall the OS. However, if you insert a linux* or Windows 7 disc, the firmware will not find a valid signature a
Re: (Score:2)
If something has compromised your system at the boot sector level, your entire machine is now completely compromised as well. What other option is there? Give the user a warning that they'll just ignore and click through?
One would assume these computers have some sort of "rescue disc" to boot from external media, recover data, and then reinstall the OS and core software.
Re: (Score:3)
"the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot"
Does that mean that IF malware infects the bootloader, the OS will not boot, BRICKING IT? Seems like an easy way for grandmothers to lose their whole computer with a click of the mouse.
You make it sound like running a corrupt/compromised system is a good thing. The system isn't supposed to let you alter the system files, but it might happen anyway for example by an exploit or mounting the drive in another computer. If it's just random bit flips I think Windows keeps backup copies anyway. If all the copies fail verification, it'll tell you the system is corrupt and insert a repair disc/USB stick with good copies. It's broken, not bricked. And whatever broke it, you probably want to fix. It
Simple Solution (Score:2)
Re: (Score:2)
Replacing the Microsoft SecureBoot key with my own PKI key is perhaps #3 on the list of things I do when configuring a new computer before ever installing a hard drive or OS - following enabling vPro AMT and then the BMC manager if present.
If I am unable to replace the master SecureBoot key with my own, that machine is getting packed up and sent right back to the OEM as defective.
I only buy OEM systems for work and build systems for home use. But the HP account for work sees a couple hundred computers a ye
Re: (Score:2)
Because for those who want laptops, build-your-own is not an option.
Re: (Score:2)
"Why anyone would buy a pre-built machines these days is beyond me." So, we can count you in the 1% who find a problem with this. MS knows they can get away with it. The only thing that will screw MS is for computing to move on from the PC. But business is still in MS's pocket, wants PCs, and wants someone to return the box to or get service on, so the HPs, Dells, etc. of the world will continue to support MS, they lost their souls long ago.
Re: (Score:2)
Re: (Score:2)
Allowed it, for now. But that means it would be easy for MS to apply pressure and turn 'allowed' into 'strongly encouraged.'
Steam Machines (Score:3)
Go buy a Steam Machine. There are already 15 vendors lined up to sell them. These OEMs are betting people are tired of this typical Microsoft BS. Prove them right and buy their machines and support their effort.
Slippery slope (Score:5, Insightful)
First they invented SecureBoot, but that was OK, because you could turn it off.
Then they prevented disabling it, but that was OK, because several non-Windows bootloaders are signed.
Next up will be refusing to sign the boot loaders which simply disable SecureBoot and load Linux/*BSD. That will be OK, because Ubuntu is properly signed including the kernel (I think).
After that it will only be certain commercial vendors who can get a certificate, but that will be OK, because Red Hat Enterprise Linux 8 will run, only allowing signed kernel modules.
Yes I hate slippery slope arguments too.
Re: (Score:2)
Because they didn't. "No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 a
Re:Slippery slope (Score:4, Interesting)
Unfortunately, it's not really Microsoft pushing us down this slippery slope. If anything it's the NSA.
The problem is boot sector or BIOS malware is now a real thing that needs real defences. It's not some obscure academic attack any more. Securing the boot chain is the only known way to fix this.
The real issues start once malware begins using Linux to install itself. That is, "I cannot infect or modify Windows because of the secure boot check. But I can install Linux and then load a special kernel module and then make the kernel chain into the Windows boot process after modifying it". So then you start needing signed kernels to check for signed kernel modules, etc. Eventually you end up with hardware that only runs signed code, and it's not because of some evil DRM conspiracy but because the openness of the PC platform has caused it to be so thoroughly bum-fucked by malware developers. I mean what are the manufacturers meant to do? Leave their 99% Windows userbase vulnerable to spying and horrible un-removable viruses because Team Linux has never managed to get OEMs on board to make Linux laptops? Doesn't make any sense, regardless of where your software sympathies may lie.
Re:Slippery slope (Score:5, Informative)
The problem is boot sector or BIOS malware is now a real thing that needs real defences. It's not some obscure academic attack any more.
Boot sector attacks have been a malware vector since..well...forever, back in the DOS3.x days we had Norton disk doctor to remove them manually.
Re: (Score:2)
Also if an alternative to SecureBoot were offered by a small security firm or FOSS project, how would they get their boot code signed??
Re: (Score:2)
My Toyota doesnt run with a Subaru engine.
You underestimate car enthusiasts. They can do things like that. And Toyota does not deliberately put in features to stop them.
Re: (Score:2)
I could install a subaru or even a Corvette engine in a toyota in a weekend. Just because you lack the education and skills on how to do it does not mean it's "impossible" or even difficult.
Engine swaps are actually quite simple to those of us that have the education. And they are highly common in the automotive world.
OEMs should prepare for rage (Score:2)
Secure Boot is clearly a clumsy means to lock out alternative OSs, and this announcement is the next step toward the untlimate in vendor lock-in.
Any OEM who doesn't implement the secure boot option (even on a single model) will face a wall of rage. I'm sure MS is offering the OEMs some type of poisoned candy to not implement it, though.
Re:OEMs should prepare for rage (Score:5, Insightful)
SecureBoot is a reasonable thing. It's when it's under the control of Microsoft, rather than the owner of the hardware, that it becomes a problem.
Make sure the OS is composed of files that are cryptographically signed and entirely legit? Fine.
Define "legit" as being "only those things signed with Microsoft keys"? Not so fine.
The current solution of a Linux bootloader signed by Microsoft is a stupid, half-baked compromise. I wouldn't have settled for it - nothing less than the ability to load my own signing keys into the BIOS being mandatory for all SecureBoot installations. And of course, disabling it.
Toooold Youuu! (Score:3, Interesting)
Yep, told you so.
I'd hope somebody keeps a public list of machines that are locked down. Although that probably won't keep the masses from buying.
This is "optional" for OEMs in the same way as they have the option to have MS break their legs or not.
You also disable UEFI for driver updates (Score:5, Interesting)
When I tried to update the graphics drivers for my Lenovo laptop, I got undocumented errors and a rollback. Later, on a whim, I disabled UEFI, and the drivers installed with no problem. I re-enabled UEFI afterwards, and the system still runs fine.
So unless you trust your vendor to deliver absolutely PERFECT drivers that will NEVER need updating, you wouldn't want a system that prevents you from disabling UEFI.
Isn't there a mechanism present to manage UEFI? (Score:2)
Funny but could become true in the future (Score:3)
Want to install Linux? Buy a Mac!
Bootablt utilities. (Score:5, Insightful)
For most people, its not about alternative operating systems.
Its about when they break the thing and bring it to me, and I cant fix it because I cant run any boot disks on it.
Trade-in value (Score:3, Insightful)
What will a locked secure boot loader (as opposed to one where UEFI can be switched off) do to the trade-in value for a used system?
Microsoft prohibited disabling UEFI Secure Boot on ARM devices back when Windows 8 support for them came out. And from what I have heard, this is one reason that old ARM hardware has a near zero value on the used equipment market. Meanwhile, x86 stuff still has a second life and some value.
Something to think about when selecting a Windows 10 system.
Less competition for Linux Ready Systems (Score:2)
So those systems that are Windows 10 locked will be unable to run Linux. This is great for those suppliers that support Linux as they will effectively have less competition.
I don't see the problem (Score:2)
I'm not buying a crippled system. Are you?
What about laptops? (Score:3)
This is the precise reason my next laptop is probably going to be ordered from someone like System76 or Zareason. I shouldn't have to do this silly UEFI dance with offerings from major "Big-Box" OEM's just to install my choice of OS on what is supposed to be MY system. So why not avoid all the BS and buy a portable from a manufacturer which actually specializes in building Linux machines?
Thinkpenguin, System76, Lemote... (Score:3)
Can't happen (Score:5, Informative)
When we pointed this out years ago, the Microsoft trolls told us to stop being silly, because it was optional and Microsoft would never, ever think of changing that. Why, the very idea!
Re: (Score:3)
What prevent Microsoft to change the key in the future ?
Re: (Score:2)
Yes. Microsoft could release a special version of his OS for 'lock in' machines with a new key that only boot on secure BIOS from this machines. This will make this machines unable to run any previous OS, including Linux. Or did I miss something ?
Re: (Score:3)
That said, this is a very appropriate time for everyone that predicted this is what MS had in mind when they first announced the Secure Boot standard so say "I told you so" to the MS apologists that denied it.
Re: No longer required (Score:4, Interesting)
If I understand you correctly, this confirm the possibility that Microsoft have the possibility to manage 2 classes of keys: the first keys class is the current one where Microsoft is willing to sign binaries not from them; the second keys class could be for 'lock in' machines where Microsoft keep full control on.
To be fair, I think that the 'lock in' keys class it's a logical step for Microsoft branded machines. But this could go very wrong if OEMs start to do the same by using the argument 'designed for Microsoft OS' because this will add 'and nothing else could run on it' to the argument. I suspect that the goal is to reserve top machines specifications to Microsoft and to only allow degraded specifications machines to run other OS. The market already have products with this kind of bias.
And yes, you are right. This evil plan was draw decades ago with the deep knowledge that it will only work at the time when the security feature will be so standard that no chip will be manufactured without it anymore.
The fact that Windows 10 is announced to be virtually free for almost everyone having a previous copy of Windows somewhere is a clear singe that the time have changed. The OS have no value anymore. The number of new software that only run on a single OS will drastically shrink, exacerbating the OS value problem. So the 'lock in' machines with exclusive specifications will be the only market where Microsoft could make money from the OS.
From my analysis, the Microsoft message is dual: 1) you don't need anything other that Windows 10 as it's virtually free for everyone; 2) You need Windows 10 to run top specifications machines. OEM market will almost certainly split the product range accordingly if no reaction prevent this.
Re: (Score:2)
They can revoke it all they want, but they can't get devices to accept the revocation without an update mechanism. If an update mechanism is in place for any particular device, it can be used by the end user just as it can be by MS, once any obscurity is peeled away. Of course, any such update mechanism isn't going to function for shit if you've replaced Windows 10 with Linux unless you've a got a full, independent stack backed into the EFI capable of going over the internets, fetching a revocation list,
Re: (Score:2)
Re: (Score:2)
The store's attorneys will just claim you faked the recording and invite you to spend the next 3 years trying to get your $1000 back.
Re: (Score:2)
At which point I would suggest that they talk to our states attorney general.
I don't know that many store managers who would in the first place.
BTW make sure to get the clerks info, store id, name whatever.
Re: (Score:3)
Because you will not be able to install your system wide Windows 7 image on it. If you ACTUALLY did IT for a corporation you would have already knew this. No corporation is going to run windows 10 for at least 3 years.