OEMs Allowed To Lock Secure Boot In Windows 10 Computers

[LAwLz]

do u think microsoft will do this i mean EU gave them hell over the whole browser thing

i cant see this happening its just too much of a bother for microsoft to go court over this (anti-competitive practices)  since they are the ones in charge of the whole signing thing

Well they are planning to do it so they don't seem scared of the EU. What's even worse is that for some reason people are defending them even though this can only lead to bad things for consumers (I really can't think of a single benefit this new policy has). In the absolute best case scenario we won't notice any difference. In anything less than a best case scenario we customers gets fucked over and lose control over out own computers.

 

I think the best outcome in the long run would be for some OEMs to abuse this new freedom they were given, and then both the OEMs and Microsoft gets hit by a massive antitrust lawsuit so they won't ever think of doing anything stupid like this ever again.

 

 

By the way, Microsoft demanded that RT devices shipped with not only secure boot on, but they also demanded that there would be no option for users to turn it off. Since RT failed I fear that this is the first step they take on slowly phasing that policy into regular Windows as well. They have already tried to pull this exact thing once, and the only reason why they failed was because RT was a huge turd nobody wanted.

[GoodBytes]

EU can't do anything. All Microsoft say is that it needs to be enabled. SecureBoot is not a Microsoft feature to lock the OS. It is a UEFI feature to lock with your OS of choice (assuming it supports it), so that malware attacks can't set itself to boot first and gain CPU supervisor privileges, and that has disastrous impact on the user system (undetectable by anything). It is a serious security feature.

Microsoft says that it needs to be enabled for them to get Windows 10 certification. But it is up to them now (before Microsoft enforced it), to be able to give the user the choice to disable it. A good manufacture will give you the option. It is sometimes needed for diagnostic and avoid problem when upgrading Windows. Others, like Samsung, did everything they can to block, that people that tried to upgrade to Windows 8.1 turned their system into a brick and needed servicing. Samsung, completely late, released a UEFI update that removes their crap lock system. I don't know how it exactly worked, but as it failed on 8.1, I think the UEFI was checking some system file to make sure the OS is Windows 8, and they didn't think about 8.1

[LAwLz]

EU can't do anything. All Microsoft say is that it needs to be enabled. SecureBoot is not a Microsoft feature to lock the OS. It is a UEFI feature to lock with your OS of choice (assuming it supports it), so that malware attacks can't set itself to boot first and gain CPU supervisor privileges, and that has disastrous impact on the user system (undetectable by anything). It is a serious security feature.

It is a feature Microsoft was involved in developing and that they are now using their monopoly to make everyone implement. I think that's enough for an antitrust lawsuit, or at the very least I hope it is.

 

It is a much much bigger deal that the stupid lawsuit they got hit with for shipping IE with their OS.

[GoodBytes]

UE can only do something if they force manufacture to lock it on. Yes Microsoft did play a part in the development with the UEFI group. But the idea was form UEFI.

Windows 8/10 aren't not the only OS that supports it. FreeBSD, Ubuntu, Fedora and OpenSuse all supports it.

At the end of the day, the consumer wallet will decide. Don't buy system that locks UEFI. I can tell you that business class system will for sure have it, as most businesses change the OS (or keep the same but re-image the system with their own image).

[Ashley]

I love Linux, but let's be honest. How many people actually use Linux as a main OS or dual boot?

 

It's not a good thing for Microsoft to have done. I'm not going to defend it. You own your computer, you should be able to disable this kind of feature.

[LAwLz]

UE can only do something if they force manufacture to lock it on. Yes Microsoft did play a part in the development with the UEFI group. But the idea was form UEFI.

Windows 8/10 aren't not the only OS that supports it. FreeBSD, Ubuntu, Fedora and OpenSuse all supports it.

At the end of the day, the consumer wallet will decide. Don't buy system that locks UEFI. I can tell you that business class system will for sure have it, as most businesses change the OS (or keep the same but re-image the system with their own image).

Microsoft have already tried to force manufacturers to lock it on. They did so with Windows RT, which is why I think it's so naive of people to say they won't try it again.

 

It doesn't really matter if other OSes supports it because it isn't as simple as "oh we will just add support on our end and it will work for everyone!". Both the OS makers and the motherboard manufacturers have to support each other since there isn't a central certification authority established for it like we have with SSL certs. Microsoft is essentially the only OS maker with the right connections to make sure they are supported on each particular machine, because the OEMs are their customers.

 

There is no way some GNU/Linux distro maker can contact all the board makers and convince them to spend the time and money to verify and implement all the signatures needed to boot their specific distro. On top of that the distro maker would also have to invest in key management which can be very costy (especially since a leak could jeopardize the safety of all computers with Secure Boot).

 

You are not telling the whole truth in your posts and it is very concerning.

 

 

Voting with wallets don't work unless people know what they are voting for. Judging by all the apologists in this thread, and all the half truths being told it seems unlikely that people would even realize what terrible things that could happen. I mean, I don't think very many people in this thread knew that Microsoft forced OEMs of Windows RT systems to block all other OSes from being installed.

I don't understand how anyone can defend a decision where the only two possible outcomes that in a best case scenario nothing changes and in all other scenarios consumers of computers lose the right to install whatever they want on their computer.

[zappian]

I love Linux, but let's be honest. How many people actually use Linux as a main OS or dual boot?

 

It's not a good thing for Microsoft to have done. I'm not going to defend it. You own your computer, you should be able to disable this kind of feature.

 

A lot of people actually lol.

[GoodBytes]

Microsoft have already tried to force manufacturers to lock it on. They did so with Windows RT, which is why I think it's so naive of people to say they won't try it again.

Last I checked, I can't install iOS on Android phone/tablet, or vice versa... huh...

 

It doesn't really matter if other OSes supports it because it isn't as simple as "oh we will just add support on our end and it will work for everyone!". Both the OS makers and the motherboard manufacturers have to support each other since there isn't a central certification authority established for it like we have with SSL certs. Microsoft is essentially the only OS maker with the right connections to make sure they are supported on each particular machine, because the OEMs are their customers.

Do you have a source for this?

 

There is no way some GNU/Linux distro maker can contact all the board makers and convince them to spend the time and money to verify and implement all the signatures needed to boot their specific distro. On top of that the distro maker would also have to invest in key management which can be very costy (especially since a leak could jeopardize the safety of all computers with Secure Boot).

Looks like the listed Linux distro managed.

 

You are not telling the whole truth in your posts and it is very concerning.

The only problem is small independent distro of Linux, it will have a pretty hard time convincing their are legit.

But in any case you can disable Secure Boot, and install the OS just fine.

 

 

Voting with wallets don't work unless people know what they are voting for. Judging by all the apologists in this thread, and all the half truths being told it seems unlikely that people would even realize what terrible things that could happen. I mean, I don't think very many people in this thread knew that Microsoft forced OEMs of Windows RT systems to block all other OSes from being installed.

Yup. But so far consumers are voting for low price for high specs, even thought warranty is crap and tech support is crap as well. So that makes some manufacture completely void warranty if you change the system OS, even if it is an older or newer version of Windows. This is nothing new. Buy business class systems if it is an issue. You pay more, BUT you have FAR better warranty and technical support service, you have a FAR better build quality system, you have FAR better cooling system, and it supports multiple OS. And some like Lenovo Thinkpads, have proper Linux support including drivers. And also business class system have no junk! (at worst trial version of A/V and the OEM software)

 

I don't understand how anyone can defend a decision where the only two possible outcomes that in a best case scenario nothing changes and in all other scenarios consumers of computers lose the right to install whatever they want on their computer.

The way I see it, do you research properly, and vote your wallet. Those that lock things down, will pay the price.

You see problem where there isn't. Beside Samsung, Sony which both left the PC business, MAYBE HP if they are suicidal. I think they saw how much their business went down the drain after selling all these Vista laptop with bellow Vista specs, super cheap quality system, with super cheap fan and cooling solution (ironically still do for that last one), and MAYBE low end budget Lenevo, and Windows powered tablets, I don't see it growing pass that.

Again, no one complained about the fact that you can't install Android on iOS device, same for the reverse, so clearly not been a problem.

Some manufacture like Dell and Lenovo have excellent Linux systems. AND Dell has their more consumer friendly XPS Developer Edition which runs Linux. As for desktop, I highly doubt that a Linux user buys a pre-build desktop. While I am sure you can probably get me examples, the majority of them custom build their system.

[patrick3027]

Last I checked, I can't install iOS on Android phone, or vice versa... huh...

(I've seen a video on YouTube of an old iPhone running Android 2.x)

The thing is: no one likes when something you took for granted is taken away from you. Installing Linux distros used to pretty simple (after all it is MY laptop I bought with MY money, right? I should be able to do whatever I want with it), now it makes it all more difficult, especially for new users.

As for desktop, I highly doubt that a Linux user buys a pre-build desktop. While I am sure you can probably get me examples, the majority of them custom build their system.

Do you have a source for this?

Also, there is something like 20 different laptop models who come with a Linux distro pre-installed. That's quite a limitation from the choice of over 500 models (I'm guessing) I have right now.

 

I don't understand how anyone can defend a decision where the only two possible outcomes that in a best case scenario nothing changes and in all other scenarios consumers of computers lose the right to install whatever they want on their computer.

+one million Edited March 22, 2015 by patrick3027

[LAwLz]

Last I checked, I can't install iOS on Android phone/tablet, or vice versa... huh...

Yep, and I think that should be illegal. I should be allowed to install whatever I want on my computer. Also "b-b-but company X is doing the same bad thing so therefore you shouldn't be mad at company Y" is quite possibly the worst defense ever.

 

 

Do you have a source for this?

Do you not know how secure boot works? All the components in the boot chain gets compared to a white list of signatures stored in the UEFI. That's why just supporting secure boot is not enough to actually be able to install an OS on a computer protected by it. If I were to implement secure boot in my own fictional OS then it still wouldn't boot because the signature is not present in the white list.

How can you have the audacity to defend Microsoft if you don't even know the basics of how secure boot works?

 

The reason why for example Ubuntu sometimes works with secure boot is because Canonical paid to have Microsoft sign their first stage bootloader with Microsoft's own certificate. You can read about Ubuntu's implementation of secure boot here. Since it also mentions the basics of secure boot it should be enough of a source to validate my previous claim as well. If you aren't satisfied with that then the "Making UEFI Secure Boot Work With Open Platforms" document someone linked earlier explains it as well.

Here is the FreeBSD wiki page that explains secure boot and how Fedora and Ubuntu solved it (having Microsoft sign their bootloaders).

 

 

Looks like the listed Linux distro managed.

Which list of GNU/Linux distros? Some of them managed by paying to have Microsoft's signature (which means handing all control over to Microsoft, and they can be shut down at any moment) and even then it doesn't. Like I said before, just supporting secure boot does not necessarily mean it will boot on a system with secure boot enabled (since that specific signature has to be added to the white list).

 

 

The only problem is small independent distro of Linux, it will have a pretty hard time convincing their are legit.

But in any case you can disable Secure Boot, and install the OS just fine.

Except Microsoft are in full control of the marge distros as well because of the reason stated above. It's not just small independent distros either, the worlds most popular OS (Windows 7) does not support it at all.

I used to have a guarantee that I would be able to disable secure boot, but Microsoft has now removed that guarantee and that's why I am displeased.

 

 

Yup. But so far consumers are voting for low price for high specs, even thought warranty is crap and tech support is crap as well. So that makes some manufacture completely void warranty if you change the system OS, even if it is an older or newer version of Windows. This is nothing new. Buy business class systems if it is an issue. You pay more, BUT you have FAR better warranty and technical support service, you have a FAR better build quality system, you have FAR better cooling system, and it supports multiple OS. And some like Lenovo Thinkpads, have proper Linux support including drivers. And also business class system have no junk! (at worst trial version of A/V and the OEM software)

I shouldn't have to buy a business grade laptop to be able to install whichever OS I want... If that's your defense then that's a really shitty one. At least you acknowledge that there is a possibility that consumers will lose their freedom to install non-Microsoft approved OSes, or do modifications to Windows.

 

 

The way I see it, do you research properly, and vote your wallet. Those that lock things down, will pay the price.

You see problem where there isn't. Beside Samsung, Sony which both left the PC business, MAYBE HP if they are suicidal. I think they saw how much their business went down the drain after selling all these Vista laptop with bellow Vista specs, super cheap quality system, with super cheap fan and cooling solution (ironically still do for that last one), and MAYBE low end budget Lenevo, and Windows powered tablets, I don't see it growing pass that.

Again, no one complained about the fact that you can't install Android on iOS device, same for the reverse, so clearly not been a problem.

Some manufacture like Dell and Lenovo have excellent Linux systems. AND Dell has their more consumer friendly XPS Developer Edition which runs Linux. As for desktop, I highly doubt that a Linux user buys a pre-build desktop. While I am sure you can probably get me examples, the majority of them custom build their system.

Now you are talking against yourself. First you say OEMs won't do it because of the backlash, then you say nobody is complaining about the same thing happening on mobile.

Like I said before, I think it's a horrible horrible thing that is happening on mobile and I would gladly see it become illegal. I am totally fine with not being able to install something because the software simply don't work with the hardware, but I think any company that tries to block me from installing competitor's software even though it would work just fine is evil and deserves to get slapped on the wrist so hard their hand falls off.

[LAwLz]

Aren't Microsoft the only company that can sign the requires keys needed for Secure Boot though?

No, anyone can sign their things. The problem is with signature distribution. When secure boot is enabled, the UEFI will check the signature of every component in the boot chain and compare the signatures against a list of signatures embedded in the UEFI. If it encounters a signature not in its own database it won't boot.

Microsoft is currently the only company that can ensure that their signature will be in the database of the motherboards, and that's a very big issue.

[anticeon]

WHat a greedy... with latest UEFI, you cant install any Linux without trouble, you cant use DLCD Boot for maintenance, even with lastest hardware you cant install Windows XP.

[givingtnt]

eeeeeeeeeewwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

[kache]

This might become a problem, especially on professional/business laptops which have encrypted BIOSes already, so any chance of modded BIOS is completely out of the question.

[Lord Baal]

Well just another reason we should all kick those who are dumb enough to by pre-built machines in the nuts.

[The Web Doctor]

Holy crap, that's terrible. I hope some good manufactures like Lenovo don't start doing this. I guess this is good for Microsoft since Linux is its competition.

[The Web Doctor]

Well just another reason we should all kick those who are dumb enough to by pre-built machines in the nuts.

 

Explain, to me how you can build a laptop.

[Lord Baal]

Explain, to me how you can build a laptop.

Well seems they have their hardware locked down I really don't care if they have their OS locked down. I've not needed to upgrade my laptop in 5 years and probably wont in the next 2-3. So while you can't just build a laptop I honestly don't much care and if people are dumb enough to buy them from a OEM that locks them to windows well tough luck to them. lol 

[The Web Doctor]

Well seems they have their hardware locked down I really don't care if they have their OS locked down. I've not needed to upgrade my laptop in 5 years and probably wont in the next 2-3. So while you can't just build a laptop I honestly don't much care and if people are dumb enough to buy them from a OEM that locks them to windows well tough luck to them. lol 

 

It wouldn't matter for most people anyway since Windows is the most populated OS.

[BloodySinner]

I guess there had to be a catch with all the Windows 10 hype.

[soak]

"I can't really think of a reason why an OEM would chose to lock Secure Boot on if they're not required to."

 

Microsoft would encourage them to do so through licensing or pricing arrangements. They don't gain much by refusing, and don't lose much by giving in.

 

What scum.

[soak]

This must be targeted specifically at SteamOS

[soak]

"I love Linux, but let's be honest. How many people actually use Linux as a main OS or dual boot?"

 

I was specifically planning to use Linux as my main OS for the next laptop I buy

[Animekid117]

"I love Linux, but let's be honest. How many people actually use Linux as a main OS or dual boot?"

 

I was specifically planning to use Linux as my main OS for the next laptop I buy

 

Dell sells laptops with Ubuntu pre-installed.

[JoshB2084]

Sound like SecuROM. *shudder*