OEMs Allowed To Lock Secure Boot In Windows 10 Computers

[zappian]

Secure boot is a good idea, but ONLY if the consumers has full control over it. With this change we might not have control anymore.

I agree with Linus Torvalds is completely right about this.

 

It's a shame that we are now moving towards these "horribly horribly bad things" he spoke about.

 

Microsoft is abusing secure boot a lot.

I am fine if they implement it with a option to turn it off , i installed windows 7 on a windows 8 secure boot machine.

But if that option inst there you need to flash your motherboard with a custom bios risking bricking it and its a fucking hassle for the consumer , even the tech savy consumer.

[Django]

it means you can't install uncertified software (as in operating systems or different bootloaders, not you chrome or whatever that runs in the os) to the computer doesn't mean you can install something a number of times, so yes you can install it whoever you want though i dunno if its going to work with 7 and below because those aren't certified since this wasn't in place on that time

 

FWIW my old Z77 has UEFI 2.3.1 and you do not need to go to the trouble of owning keys and signing the boot loaders. There are options to simply add a hash, although these BIOS options are generally hidden.

 

 

For example trying to boot a UEFI shell that is not signed with secure boot enabled and "Query User" set..

 

Simply allow to launch or append the hash to never be asked again.

 

These options are also available on my Haswell laptop, after unhiding. Personally however I have no use for secure boot so it's disabled.

 

As for W7 unfortunately winload.efi is chained to the Windows boot manager but how hard would it be for MS to sign winload.efi through a Windows update to make it work with secure boot? That's a rhetorical question BTW.

[Beskamir]

One of my friends who disgracefully bought a prebuilt had secure boot for windows 8. So there went his chance of installing any sort of Linux distro.

[Michael McAllister]

My motherboard has Secure Boot capabilities, and it is enabled in the UEFI, but Windows says it's disabled. Was I supposed to download a separate bootloader from Asus? All Secure Boot does is prevent rootkits, no?

[patrick3027]

In the end, it's up to the OEM to decide. Y'all should be hating on them instead of hating on MS. Maybe no OEM will do it. Maybe every OEM will alllow Secure Boot to be disabled. And if they don't, wel... BIOS modding is a thing, and Windows licences have already been inserted into UEFIs, so it won't be long until someone cracks down on a BIOS and breaks Secure Boot.

If some OEMs allow us to disable this, I'll be happy to support them by buying their products but in all honesty: how many Android phones come with an unlocked bootloader?

Of course the Linux community will find something around this, but it's already scary enough for newbies to install Linux as it is now. If we need to tell future Linux users "Hey, you should first reflash your BIOS with this thing you need to download from the evil internet and which may brick your PC forever", it will be even harder to lure some new users into the Linux community.

 

Again, as iFixit always says: you don't truly own the products you buy anymore.

[Speedbird]

If some OEMs allow us to disable this, I'll be happy to support them by buying their products but in all honesty: how many Android phones come with an unlocked bootloader?

Of course the Linux community will find something around this, but it's already scary enough for newbies to install Linux as it is now. If we need to tell future Linux users "Hey, you should first reflash your BIOS with this thing you need to download from the evil internet and which may brick your PC forever", it will be even harder to lure some new users into the Linux community.

 

Again, as iFixit always says: you don't truly own the products you buy anymore.

First of all, all unbranded Samsung devices come with an unlocked bootloader. All Nexus devices have unlockable bootloaders. All HTC devices made after 2011 and unless explicitly denied by carriers, have an unlockable bootloader. I know that unlockable is not the same as unlocked, but it's just like having Secure Boot that can be disabled.

[zappian]

My motherboard has Secure Boot capabilities, and it is enabled in the UEFI, but Windows says it's disabled. Was I supposed to download a separate bootloader from Asus? All Secure Boot does is prevent rootkits, no?

 

Lol no.

Classically if the OEM gives you the possibility to toggle it off , when on it just ignores any bootable media that has other oses than for example 7 or a linux distro.

If its on you CANT  install any other os , its simply not possible , I have been there.

If the OEM chooses to deny you the option to turn it off you need to wait for custom bios to go over that restriction and you have to flash your motherboard which is a risk always.

[TAK]

.

[dfsdfgfkjsefoiqzemnd]

I don't' believe this is legal in the EU

AFAIK it isn't.

 

So if you buy a Win10 laptop, be sure to do your research beforehand to make sure the UEFI isn't locked.

[Michael McAllister]

Lol no.

Classically if the OEM gives you the possibility to toggle it off , when on it just ignores any bootable media that has other oses than for example 7 or a linux distro.

If its on you CANT  install any other os , its simply not possible , I have been there.

If the OEM chooses to deny you the option to turn it off you need to wait for custom bios to go over that restriction and you have to flash your motherboard which is a risk always.

 

My brother and I are the OEMs in this case, which is why i was asking if there are any true benefits to enabling it besides rootkit prevention.

[Dabombinable]

AFAIK it isn't.

 

So if you buy a Win10 laptop, be sure to do your research beforehand to make sure the UEFI isn't locked.

In that case, I think Microsoft may have shot themselves in the foot.

[TAK]

.

[creativename]

Yeah but other miscrosoft operative systems are also locked.

Like windows 7 for example.

These builds will only allow windows 10.

If you use any bootable media with windows 7 it will just ignore it .

This is my experience with UEFI safe boot.

If you're not going to use linux, who cares? WIndows 7 is an old OS, nobody should care for it.

[Dabombinable]

If you're not going to use linux, who cares? WIndows 7 is an old OS, nobody should care for it.

It still has a shitload less issues than Win 8/8.1, and more businesses use it than Windows 8/8.1, so......

[creativename]

It still has a shitload less issues than Win 8/8.1, and more businesses use it than Windows 8/8.1, so......

Any proof of that? In the beginning it might have had alot of issues, but most of those are fixed.

[Dabombinable]

Any proof of that? In the beginning it might have had alot of issues, but most of those are fixed.

This isn't quite what I was looking for in regards to businesses, but Windows 8/8.1 got rekt: http://venturebeat.com/2014/11/01/windows-8-and-8-1-finally-pass-15-market-share-windows-xp-drops-below-20-mark/

 

Edit: this should be more up to date. Should-http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

[LAwLz]

Only affects pre-built PCs.

Yep, like all laptops and the vast majority of desktops that are sold.

 

This will not stop you from building a PC and installing any OS on it, including Windows 10, Secure Boot is not mandatory to install Windows 10, it's only mandatory for some fucking "props" from Microsoft. Only OEMs might care about that and frankly, they haven't given a flying fuck so far, so it's not likely they will change.

Secure Boot is mandatory for everything with a Windows 8 or 10 sticker on it, and OEMs have given a flying fuck about it because they want the stickers on the boxes.

 

Just having Windows 10 installed from the OEM factory won't make it impossible to install Linux or any other OS, the OEM will have the OPTION to stop that, but since they haven't been doing so with Windows 8, there is no reason for them to start doing it now. It will not benefit them at all to do so, OEM Windows is as close to $0 as it is, Microsoft can't entice the OEMs to activate Secure Boot.

The OEMs didn't have the option to stop other OSes from being installed with Windows 8 because Microsoft demanded that they had an on/off switch.

For some reason Microsoft changed that policy. If you don't think it's because someone wanted to remove the option then feel free to explain to me why Microsoft changed their policy. They don't change policies for the fun of it so clearly some OEM has contacted Microsoft about it, or Microsoft themselves think they will benefit from OEMs not allowing users to switch/modify their OS.

If you don't think Microsoft or any OEM is planning on removing the option to disable Secure Boot then please explain to me why the policy was changed to begin with.

 

 

 

Any proof of that? In the beginning it might have had alot of issues, but most of those are fixed.

It makes me so sad that people have this mentality. "My freedom to do X was taken away? Meh I never did that anyway, and neither should anyone else".

Microsoft and the OEMs should just fuck off with the entire idea that they should control which software you are allowed to run on YOUR computer. Same goes for phones as well.

[LeTexan]

Well, maybe I'm wrong but things might not change, I mean, it's not like Microsoft is paying them to make the option disappear.

Plus it might allows companies to secure their fleet by buying pcs who can run only secured OS. You know how easy it is to get a win password with a redhat on a liveCD?

10 min tops, and I'm not good at this game. I hope it will only be applied for professionnals builds, not retail or enthusiam motherboard.

 

EDIT: It doesn't concern stand alone motherboard, just pre-builds, my bad.

Then I don't think any OEM would do it for the retails per-builds. We are in 2015, not 2005. There is always a geek around now. I'm sure as I can be that "normal" people will eventually learn of this and blame/boycot the OEM/models which don't allow them to change the OS. Even if they would never change their OS in the first place.

[zappian]

If you're not going to use linux, who cares? WIndows 7 is an old OS, nobody should care for it.

 

https://yourlogicalfallacyis.com/anecdotal

 

So just because you dont like win 7 its okay that MS limits peoples freedom.

 

I use windows 7 because the metro UI is absolute crap.

 

A lot of people dislike windows 8 also.

 

http://www.infoworld.com/article/2618073/microsoft-windows/windows-8-review--yes--it-s-that-bad.html

 

But thats beside the point really , anyone SHOULD be able to install whatever god damned os they want on the hardware they bought.

[Dabombinable]

Well, maybe I'm wrong but things might not change, I mean, it's not like Microsoft is paying them to make the option disappear.

Plus it might allows companies to secure their fleet by buying pcs who can run only secured OS. You know how easy it is to get a win password with a redhat on a liveCD?

10 min tops, and I'm not good at this game. I hope it will only be applied for professionnals builds, not retail or enthusiam motherboard.

I think of it this way, Microsoft 'allows' OEM's to lock secure boot then if they pay OEM's behind people's backs it appears to be solely the OEM's decision to lock secure boot.

[Dabombinable]

https://yourlogicalfallacyis.com/anecdotal

 

So just because you dont like win 7 its okay that MS limits peoples freedom.

 

I use windows 7 because the metro UI is absolute crap.

 

A lot of people dislike windows 8 also.

 

http://www.infoworld.com/article/2618073/microsoft-windows/windows-8-review--yes--it-s-that-bad.html

 

But thats beside the point really , anyone SHOULD be able to install whatever god damned os they want on the hardware they bought.

As of the 1st of October last year this was the market share of Microsoft OS, with 91.53% overall:

Windows 7 - 53.05%

Windows XP - 12.18%

Windows 8.1 - 10.92%

Windows 8 - 5.88%

Windows Vista - 2.82%

Windows Old - 1.68%

 

Mac OS totaled 7.05% and Linux 1.41%

http://venturebeat.com/2014/11/01/windows-8-and-8-1-finally-pass-15-market-share-windows-xp-drops-below-20-mark/

[LeTexan]

I think of it this way, Microsoft 'allows' OEM's to lock secure boot then if they pay OEM's behind people's backs it appears to be solely the OEM's decision to lock secure boot.

OEM aren't stupid enough to accept these kind of honeypot. Enventually it was the necessary condition for them to have windows 10 for free but, again, it's a little to evil to be true.

[LAwLz]

I think of it this way, Microsoft 'allows' OEM's to lock secure boot then if they pay OEM's behind people's backs it appears to be solely the OEM's decision to lock secure boot.

The problem with that way of thinking is that it doesn't take into consideration that Microsoft are also forcing OEMs to implement Secure Boot and also have it on by default.

I think my gun analogy is pretty accurate.

Basically, Microsoft is handing out loaded guns and then going "Hey! You are NOT allowed to put the guns down ever, and they have to be loaded at all times, you are free to put the safety on but it will be off when I give them to you". You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot.

[Dabombinable]

OEM aren't stupid enough to accept these kind of honeypot. Enventually it was the necessary condition for them to have windows 10 for free but, again, it's a little to evil to be true.

Its Microsoft, they've already managed to scare devs away from OpenGL so that DirectX would be used most (effectively blocking Linux and Mac OSX from being tough competition), so I wouldn't put them past the bastards to try.

[LeTexan]

"You can't just say "wow Microsoft is innocent! They were allowed to put the safety on if they wanted" if someone ends up being shot."

 

It's more like this:

"You can't just say "wow Microsoft is guilty! OEMs were allowed to leave the safety on if they wanted' if someone ends up not being shot when they should have been."

 

if you want to stick with the [safety = disable safe boot setting] and [someone = a hacker with a nasty OS to crack the Win10 used in a company fleet]