OEMs Allowed To Lock Secure Boot In Windows 10 Computers

[zappian]

Hardware that sports the "Designed for Windows 8" logo requires machines to support UEFI Secure Boot. When the feature is enabled, the core software components used to boot the machine are verified for correct cryptographic signatures, or the system refuses to boot. This is a desirable security feature, because it protects from malware sneaking into the boot process. However, it has an issue for alternative operating systems, because it's likely they won't have a signature that Secure Boot will authorize. No worries, because Microsoft also mandated that every system must have a UEFI configuration setting to turn the protection off, allowing booting other operating systems. This situation may now change. At its WinHEC hardware conference in Shenzhen, China, Microsoft said the setting to allow Secure Boot to be turned off will become optional when Windows 10 arrives. Hardware can be "Designed for Windows 10," and offer no way to opt out of the Secure Boot lock down. The choice to provide the setting (or not) will be up to the original equipment manufacturer.

 

http://tech.slashdot.org/story/15/03/20/2039251/oems-allowed-to-lock-secure-boot-in-windows-10-computers

 

TLDR?

Screw Linux and other operative systems , with the original bios in some computers you will only be able to use windows 10 .

YOU WONT BE ABLE TO INSTALL ANY OTHER OS.

I was able to turn off secure boot on the prebuilt i was working on for a client but now the gates of hell are open

This post has been promoted to an article

[Dabombinable]

Damn, its a shame for the retards who thought of that idea that I always take the time to learn how to mod the bios of any computer I buy, that and the fact that I always build my own desktops.

[SIGSEGV]

Time to make hacked BIOSes now

[zappian]

Time to make hacked BIOSes now

 

Why I avoid prebuilts part I .

[Dabombinable]

Time to make hacked BIOSes now

Yep

[mr moose]

Wouldn't simply re-flashing the bios reset this? 

[zappian]

Wouldn't simply re-flashing the bios reset this? 

 

Some prebuilts use custom mothersboards afaik.

LIke the asus essention cm 1740 , I could not find what motherboard that pc used.

I only knew that it was a FM1 socket.

[Opcode]

Wouldn't simply re-flashing the bios reset this? 

It's hard coded, you would need to strip it from the bios as a workaround.

[Dabombinable]

Some prebuilts use custom mothersboards afaik.

LIke the asus essention cm 1740 , I could not find what motherboard that pc used.

I only knew that it was a FM1 socket.

Story of the only desktop I ever bought pre-built.

[qwertywarrior]

what the hell whats the point of that make it configurable like win 8 prebuilt computers

[Daegun]

So my question is why? There has to be some logical reason, at least from their standpoint, for doing this. Surely this wouldn't just be decided on a whim.

[foxhound590]

the solution is simple linux needs to adapt 

[zappian]

the solution is simple linux needs to adapt 

 

Yeah but other miscrosoft operative systems are also locked.

Like windows 7 for example.

These builds will only allow windows 10.

If you use any bootable media with windows 7 it will just ignore it .

This is my experience with UEFI safe boot.

[harrynowl]

Some prebuilts use custom mothersboards afaik.

LIke the asus essention cm 1740 , I could not find what motherboard that pc used.

I only knew that it was a FM1 socket.

F1A75-M I think.

 

And they should just leave it configurable... odds are most people buying a PC won't ever need to toggle it. Only the people that want to.

[Albatross]

Unfortunately a lot of people buy prebuilt and they know that. This is their way of preventing people from seeking out competition/alternatives so that they are the only ones people can go to.

 

Microsoft needs to fall to its knees and burn. The world doesn't need it or its shitty OSes/products anymore.

[Django]

YOU WONT BE ABLE TO INSTALL ANY OTHER OS.

I was able to turn off secure boot on the prebuilt i was working on for a client but now the gates of hell are open

Probably going to get the option to disable it, just a requirement for it to originally be enabled on a new system shipped with W10. A lot of the W8 laptops already have it enabled by default. Can be options to add hashes if you need secure boot enabled and need to boot other UEFI systems.

 

Seems to me HP and Dell seem to be the ones who like to lock things down so those are the systems I personally would be wary off.

[not a pervert]

And they said Microsoft was the new Google.

 

Limiting someone to a certain os,is so wrong its like caging a bird. 

[Dabombinable]

I just re-installed my H87M Pro, and for secure boot you can simply set it for Windows or other, maybe this is getting blown out of proportion. I just re-read the OP, disregard what I just said.

[Opcode]

I just re-installed my H87M Pro, and for secure boot you can simply set it for Windows or other, maybe this is getting blown out of proportion. I just re-read the OP, disregard what I just said.

Almost got ya

[Syntaxvgm]

I don't' believe this is legal in the EU

[Guest]

I was a bit worried when I read the headline about this on Ars Technica, but reading into it, I can't really think of a reason why an OEM would chose to lock Secure Boot on if they're not required to.

I suppose it could be a selling point for people who want security, but don't keep their BIOS password protected, but I would like to believe that that's a small market.

[LAwLz]

the solution is simple linux needs to adapt 

Adapt how?

Every component in the boot chain needs to be signed and the signature needs to be added to the UEFI's white list. You can't expect all the developers that has contributed to for example GRUB and Linux to agree to signing it, then invest money into some way to keep the signatures valid and protected, and then contact each and every motherboard manufacturer and ask them to include the signatures. Including the signatures in the UEFI is also a big hassle for the motherboard manufacturers because they have to validate them as well.

 

 

And to everyone who is talking about prebuilds...

1) You probably have a laptop, which was prebuilt.

2) Look at your motherboard box. It probably says "Windows 7 ready", or "Windows 8 ready" on it. This will affect custom built PCs as well.

 

 

This is serious enough to warrant another antitrust case in my opinion.

 

 

 

I was a bit worried when I read the headline about this on Ars Technica, but reading into it, I can't really think of a reason why an OEM would chose to lock Secure Boot on if they're not required to.

I suppose it could be a selling point for people who want security, but don't keep their BIOS password protected, but I would like to believe that that's a small market.

Because it is less work for them. Microsoft are forcing them to implement it, but not forcing them to implement a way to turn it off. How many smartphones to do see that ships with an unlocked bootloader? Not very many.

[Speedbird]

In the end, it's up to the OEM to decide. Y'all should be hating on them instead of hating on MS. Maybe no OEM will do it. Maybe every OEM will alllow Secure Boot to be disabled. And if they don't, wel... BIOS modding is a thing, and Windows licences have already been inserted into UEFIs, so it won't be long until someone cracks down on a BIOS and breaks Secure Boot.

[LAwLz]

In the end, it's up to the OEM to decide. Y'all should be hating on them instead of hating on MS. Maybe no OEM will do it. Maybe every OEM will alllow Secure Boot to be disabled. And if they don't, wel... BIOS modding is a thing, and Windows licences have already been inserted into UEFIs, so it won't be long until someone cracks down on a BIOS and breaks Secure Boot.

Microsoft deserves a ton of hate as well since they are the ones mandating that secure boot should be implemented and enabled by default. They are also the ones that changed their requirements from "users must be in control" to "you are free to screw your customers over".

 

Yes BIOS modding is a thing, but this is a huge inconvinence for people who might want to try out SteamOS or Ubuntu or stick with Windows 7 (or earlier version of Windows). Having to mod the BIOS will scare most people off from ever trying a different OS.

 

 

You can't crack secure boot just because the Microsoft signature is already in there. That's not how signatures work. Even if you have the signature (which is very easy to find) you can't sign your own things with the same one.

[zappian]

Microsoft deserves a ton of hate as well since they are the ones mandating that secure boot should be implemented and enabled by default. They are also the ones that changed their requirements from "users must be in control" to "you are free to screw your customers over".

 

Yes BIOS modding is a thing, but this is a huge inconvinence for people who might want to try out SteamOS or Ubuntu or stick with Windows 7 (or earlier version of Windows). Having to mod the BIOS will scare most people off from ever trying a different OS.

 

 

You can't crack secure boot just because the Microsoft signature is already in there. That's not how signatures work. Even if you have the signature (which is very easy to find) you can't sign your own things with the same one.

 

I agree microsoft shoves this up the OEMS face if they want "certification"

 

Now they say the option to turn it off is "optional"

 

And people ask me why I like Linux more and more.