OEMs Allowed To Lock Secure Boot In Windows 10 Computers

[sgloux3470]

So my question is why? There has to be some logical reason, at least from their standpoint, for doing this. Surely this wouldn't just be decided on a whim.

 

Just because Microsoft isn't mandating it doesn't mean that anyone will actually ship a BIOS with this feature locked. 

 

You guys are freaking out over nothing. 

 

 

Holy crap, that's terrible. I hope some good manufactures like Lenovo don't start doing this. I guess this is good for Microsoft since Linux is its competition.

 

Linux is competition in the same way that the 4th grade PE class is competition for the olympics.

 

 

 

[Lord Baal]

"I can't really think of a reason why an OEM would chose to lock Secure Boot on if they're not required to."

 

Microsoft would encourage them to do so through licensing or pricing arrangements. They don't gain much by refusing, and don't lose much by giving in.

 

What scum.

Not only that but OEM's don't want people to modify the machine in any way including switching OS then dealing with idiots that don't know what they're doing complaining something suddenly stopped working so it falls inline with their usual "don't screw with out shite" attitude 

[mr moose]

"I can't really think of a reason why an OEM would chose to lock Secure Boot on if they're not required to."

 

Microsoft would encourage them to do so through licensing or pricing arrangements. They don't gain much by refusing, and don't lose much by giving in.

 

What scum.

 

Until recently Microsoft was the one that enforced the customer have a way to bypass it. All they have done is allow the OEM's to chose.   MS have little to gain from such a move.

 

This must be targeted specifically at SteamOS

 

Not likely, because MS makes 75+% of its revenue from corporate and business sales, they are not likely worried about a gaming platform. 

[silberdrachi]

Not likely, because MS makes 75+% of its revenue from corporate and business sales, they are not likely worried about a gaming platform. 

 

Not to mention SteamOS is a subset of gamers on PCs, and a subset of Linux users on PCs, and a subset of ultra early adopters...

 

This is like the big 3 motor companies freaking out because some guy built his own car in his garage. Microsoft knows that they exist, they just dont care that they might lose their business from a minority of a minority of a minority. It would cost them too much money to care.

[jacobgoblin]

Yeah but other miscrosoft operative systems are also locked.

Like windows 7 for example.

These builds will only allow windows 10.

If you use any bootable media with windows 7 it will just ignore it .

This is my experience with UEFI safe boot.

I'm on a Win 7 laptop right now running Ubuntu from a USB.. It didn't ignore anything.

[The Web Doctor]

This must be targeted specifically at SteamOS

 

How so?

[MadSprite]

Adapt how?

Every component in the boot chain needs to be signed and the signature needs to be added to the UEFI's white list. You can't expect all the developers that has contributed to for example GRUB and Linux to agree to signing it, then invest money into some way to keep the signatures valid and protected, and then contact each and every motherboard manufacturer and ask them to include the signatures. Including the signatures in the UEFI is also a big hassle for the motherboard manufacturers because they have to validate them as well.

 

I havent bothered to read the rest of post after the third page so I might be repeating someone.

 

Ubuntu has already found a way to load up work with secure boot and have a UEFI Grub boot. The only way for this to work is not not flash your usb with the iso distro but just copy and paste the internal files onto the usb to boot from.

 

I currently use my ubuntu installion on my secure boot laptop, and yes secure boot is on because if I turn it off, I lose the ability to boot into windows because insecure grub overwritten windows mbr and remove windows from the list.

 

Of course this only work when a linux distro is based on a large distrubution linux and not small self-signed distros that you made yourself.

 

A quick google search will have many articles on how to boot from a live linux usb through secure boot.

Since Ubuntu 14.04, secure UEFI has been supported.

[LAwLz]

I havent bothered to read the rest of post after the third page so I might be repeating someone.

 

Ubuntu has already found a way to load up work with secure boot and have a UEFI Grub boot. The only way for this to work is not not flash your usb with the iso distro but just copy and paste the internal files onto the usb to boot from.

 

I currently use my ubuntu installion on my secure boot laptop, and yes secure boot is on because if I turn it off, I lose the ability to boot into windows because insecure grub overwritten windows mbr and remove windows from the list.

 

Of course this only work when a linux distro is based on a large distrubution linux and not small self-signed distros that you made yourself.

 

A quick google search will have many articles on how to boot from a live linux usb through secure boot.

Since Ubuntu 14.04, secure UEFI has been supported.

It's a shame you didn't read the rest of the pages because I have already explained why for example Ubuntu can boot though secure boot, as well as why the situation is still very, very bad.

 

The reason why for example Ubuntu sometimes works with secure boot is because Canonical paid to have Microsoft sign their first stage bootloader with Microsoft's own certificate. You can read about Ubuntu's implementation of secure boot here. Since it also mentions the basics of secure boot it should be enough of a source to validate my previous claim as well. If you aren't satisfied with that then the "Making UEFI Secure Boot Work With Open Platforms" document someone linked earlier explains it as well.

Here is the FreeBSD wiki page that explains secure boot and how Fedora and Ubuntu solved it (having Microsoft sign their bootloaders).

 

-snip-

 

Which list of GNU/Linux distros? Some of them managed by paying to have Microsoft's signature (which means handing all control over to Microsoft, and they can be shut down at any moment) and even then it doesn't. Like I said before, just supporting secure boot does not necessarily mean it will boot on a system with secure boot enabled (since that specific signature has to be added to the white list).

 

-snip-

 

Microsoft are in full control of the marge distros as well because of the reason stated above. It's not just small independent distros either, the worlds most popular OS (Windows 7) does not support it at all.

I used to have a guarantee that I would be able to disable secure boot, but Microsoft has now removed that guarantee and that's why I am displeased.

 

[MadSprite]

It's a shame you didn't read the rest of the pages because I have already explained why for example Ubuntu can boot though secure boot, as well as why the situation is still very, very bad.

This situation is what HTTPS is headed for, except instead of one authority being Microsoft, there's more than one authority.

With many broswers supporting to go to HTTPS only (Google in the lead), many websites are going to have to pay to have their websites certified.

Of course, that includes that smaller sites won't have the money to support this, while they have free shared certificates or non-profit organization soon to offer free certs options.

This is where Microsoft has to do something differently other than being the only authority where they are held accountable.

Unix is supported by many companies and there is developing support from hardware/oem manufacturers too. They will see that their own hardware will no longer be able to run linux if they remove the option. We are most likely see that this disable option will be removed on dumb-consumer hardware.

 

I find this as a security problem, being that to be more secure makes it more inconvience to the user.

 

 

Microsoft are in full control of the marge distros as well because of the reason stated above. It's not just small independent distros either, the worlds most popular OS (Windows 7) does not support it at all.

Another tactic I can see this as well is microsoft trying to combat it's own distro's to have the user on the latest rather then allowing users to go on older software.

[LAwLz]

This situation is what HTTPS is headed for, except instead of one authority being Microsoft, there's more than one authority.

With many broswers supporting to go to HTTPS only (Google in the lead), many websites are going to have to pay to have their websites certified.

Of course, that includes that smaller sites won't have the money to support this, while they have free shared certificates or non-profit organization soon to offer free certs options.

This is where Microsoft has to do something differently other than being the only authority where they are held accountable.

Unix is supported by many companies and there is developing support from hardware/oem manufacturers too. They will see that their own hardware will no longer be able to run linux if they remove the option. We are most likely see that this disable option will be removed on dumb-consumer hardware.

 

I find this as a security problem, being that to be more secure makes it more inconvience to the user.

 

Another tactic I can see this as well is microsoft trying to combat it's own distro's to have the user on the latest rather then allowing users to go on older software.

I think you have misunderstood HTTP and HTTPS.

No browsers are going HTTPS only that I know of. It doesn't even make sense because HTTPS is HTTP + encryption. If you support HTTPS then you also support HTTP. Moving all their websites to HTTPS is not the same as dropping support for HTTP.

HTTPS would be horrible if there was just 1 certificate authority as well. It's already bad when some cert gets compromised but at least we can easily push out an update to block that specific cert. Imagine if the update required a complete UEFI/BIOS flash, and all programs would need to be re-signed because all used the same cert.

 

Because Microsoft controls the certificate, they can also shut anyone down whenever they feel like it. That's a terrifying thought.

So no, the current solution distros like Ubuntu use is terrible.

 

 

Another tactic I can see this as well is microsoft trying to combat it's own distro's to have the user on the latest rather then allowing users to go on older software.

Yes that might be a real possibility as well, and that would be very bad.

[SpaceNugget]

It's a shame you didn't read the rest of the pages because I have already explained why for example Ubuntu can boot though secure boot, as well as why the situation is still very, very bad.

 

This situation is what HTTPS is headed for, except instead of one authority being Microsoft, there's more than one authority.

With many broswers supporting to go to HTTPS only (Google in the lead), many websites are going to have to pay to have their websites certified.

Of course, that includes that smaller sites won't have the money to support this, while they have free shared certificates or non-profit organization soon to offer free certs options.

This is where Microsoft has to do something differently other than being the only authority where they are held accountable.

Unix is supported by many companies and there is developing support from hardware/oem manufacturers too. They will see that their own hardware will no longer be able to run linux if they remove the option. We are most likely see that this disable option will be removed on dumb-consumer hardware.

 

I find this as a security problem, being that to be more secure makes it more inconvience to the user.

 

Another tactic I can see this as well is microsoft trying to combat it's own distro's to have the user on the latest rather then allowing users to go on older software.

1. no browsers are doing this.

2. even if they did, you don't need to pay. you can sign your own certificates. it just means customers will see a warning when they go to your website. and there tons of ways to verify a self signed signature. 

 

It's a shame you didn't read the rest of the pages because I have already explained why for example Ubuntu can boot though secure boot, as well as why the situation is still very, very bad.

"Designed for windows 10" and "windows 10 ready" are two completely separate certifications. this will only affect pre-built systems.

[zappian]

1. no browsers are doing this.

2. even if they did, you don't need to pay. you can sign your own certificates. it just means customers will see a warning when they go to your website. and there tons of ways to verify a self signed signature. 

 

"Designed for windows 10" and "windows 10 ready" are two completely separate certifications. this will only affect pre-built systems.

 

I also doubt boxed motherboards will have this feature.

It would canibalize their own success and profits for no reason lol.

People that build their own pcs are pretty much safe.

-Enthusiasts would kill them

-Open source activists would kill them

- x99 Linux server owners WOULD KILL THEM.

Not happening people.

[Dabombinable]

-snip-

- x99 Linux server owners WOULD KILL THEM.

Not happening people.

In other words most owners of large servers.

[LAwLz]

I also doubt boxed motherboards will have this feature.

It would canibalize their own success and profits for no reason lol.

People that build their own pcs are pretty much safe.

-Enthusiasts would kill them

-Open source activists would kill them

- x99 Linux server owners WOULD KILL THEM.

Not happening people.

Happened to phones and tablets, and Microsoft tried to do it with 2-in-1s as well (running RT). Most people probably wouldn't even notice any difference so we would just be a small minority crying about it.

It was because of the open source activists the "secure boot must be disable-able by users" part was added in the Windows 8 specs, but it has now been removed.

Just because people buying server hardware won't be affected (that would really be an idiotic move by motherboard manufacturers) doesn't mean all other boards will be safe (like LGA 1151).

 

Microsoft has been doing VERY anti competitive things in the past, and at their core they are pure evil. Manufacturers has also demonstrated that they are more than willing to strip their users of the rights to modify hardware and software of their products so don't blindly put faith in them giving users options either.

You are very naive if you think that software or hardware manufacturers don't want as much control over their customers as possible, and this is certainly one way of getting that.

[BURNINGJUNK]

Why I avoid prebuilts part I .

Part 1 of 8,000,000,000

[MEC-777]

I now have even less respect for MS & Windows.

 

Linux FTW.

[Bajanboy91]

meh i call bs these days every software company seems to be trying to lock you in to their stuff and theirs alone ....

[zappian]

Happened to phones and tablets, and Microsoft tried to do it with 2-in-1s as well (running RT). Most people probably wouldn't even notice any difference so we would just be a small minority crying about it.

It was because of the open source activists the "secure boot must be disable-able by users" part was added in the Windows 8 specs, but it has now been removed.

Just because people buying server hardware won't be affected (that would really be an idiotic move by motherboard manufacturers) doesn't mean all other boards will be safe (like LGA 1151).

 

Microsoft has been doing VERY anti competitive things in the past, and at their core they are pure evil. Manufacturers has also demonstrated that they are more than willing to strip their users of the rights to modify hardware and software of their products so don't blindly put faith in them giving users options either.

You are very naive if you think that software or hardware manufacturers don't want as much control over their customers as possible, and this is certainly one way of getting that.

 

Give me one good reason why boxed motherboard manufacturers would kill their profits by doing something stupid like that.

Because it would kill their profits to launch an OS locked 1150 or similar motherboard.

Its a business and business like to make money.

Why would they kill their own profits?

Doesnt make a lick of sense.

[ShadowCaptain]

its pretty bad, but I think that for 99% of pre-built users, they wouldnt notice or care

[zappian]

its pretty bad, but I think that for 99% of pre-built users, they wouldnt notice or care

 

This affected me when i wanted to install win 7 or a clients build.

I had a free key from dreamspark/college.

Had to find the damn option very welll hidden to to turn it off.

[ShadowCaptain]

This affected me when i wanted to install win 7 or a clients build.

I had a free key from dreamspark/college.

Had to find the damn option very welll hidden to to turn it off.

 

Yeah it will effect a few, but I mean for 99% of families and people that walk into a computer shop and buy an off the shelf PC, I doubt they will be changing OS and reconfiguring their PC

[zappian]

Yeah it will effect a few, but I mean for 99% of families and people that walk into a computer shop and buy an off the shelf PC, I doubt they will be changing OS and reconfiguring their PC

 

Its still an unnecessary pain in the ass.

It would be much better if they didn't do this shit.

[ShadowCaptain]

Its still an unnecessary pain in the ass.

It would be much better if they didn't do this shit.

 

Agreed

[LAwLz]

Give me one good reason why boxed motherboard manufacturers would kill their profits by doing something stupid like that.

Because it would kill their profits to launch an OS locked 1150 or similar motherboard.

Its a business and business like to make money.

Why would they kill their own profits?

Doesnt make a lick of sense.

Less development cost (1 less feature to add).

 

Possibility of incentive from Microsoft (I wouldn't put it past them).

 

Most people wouldn't care (I am willing to bet that 95% of people who build their own PCs are just as clueless about these kinds of things as the average Joe who buys a prebuilt PC). So I don't think it would "kill their profits".

[GoodBytes]

There is no requirement for motherboard manufactures to implement this feature on motherboard compatible with Windows 8. So why it would change with Windows 10?