Secure Boot Lock Out

dr.fuzzenstein wrote: »

It seems that MS was stipulating that the switch to turn off secure boot is optional. No one ever said "MS stipulated that hardware will under no circumstances allow another OS".
I think this is the same as the rumor that Audi will seal off the engine bay so that no one can access it but authorized Audi dealers.

That is what the first post said ....... it is the consequences of this that is rather worrying.

dr.fuzzenstein wrote: »

We see what happens. Remember XBox one games to be locked to a specific console? Never happened. MS will always try it on.
If it does happen, at worst a new BIOS could be flashed to a machine to install another OS, worst consequence of that could possibly be the existing MS installation no longer working, but I'm just guessing here. And a little bit of care when purchasing old or new machines in order to install a Linux variant on them. But that is the case anyway. It's not like Linux will run without any issues on every single piece of hardware out there as it is.

I haven't had any real difficulties running Linux on the old equipment (lots of it) that passed through here. So, while it won't recognise ALL used gear, it sure does most of it.

Replacing the BIOS might or might not be possible ...... only a select few are possible at present .... and doing that is a whole different kettle of fish than just installing an OS.

IF the worst happens and m/boards drop the option to turn off secure boot for Windows machines, then a heck of a lot more of them will be recycled rather than reused.
By then it will be too late to do anything about it!

ASX wrote: »

Hi! 

Originally Posted by Johnboy1951 
It appears that MS have issued specs for their OEM suppliers which include a change in the Secure Boot requirements.

Yes, it appears so, but only for "mobile" platforms.

At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.

I see no mention of 'Mobile' there.

In fact I believe that MS have already determined that mobile devices with their software cannot have a user switch to turn off secure boot, and it has been this way for a number of years.

This is referencing a change in hardware requirements for Win 10 .... where there is now no need for a user switch to turn off secure boot, to comply with the MS hardware spec requirements.

The only change between Windows 8.1 and Windows 10 for system requirements on the desktop is the mandate of UEFI v2.3.1. Windows 8.1 was required to have UEFI v2.3.1 for Secure Boot, but this was an optional feature. In Windows 10 this is no longer optional.

Those two quotes are taken from the links I posted in the first post.

Bottom line: It seems there is a change of MS spec for desktop hardware, bringing it a step closer to the spec for mobile hardware ... there now being no requirement for a user switch for secure boot.
All they got to do to bring the desktop hardware into line with the mobile hardware is to specifically specify that there be no secure boot user switch.
As I said, maybe Win 12

***

Your links ...

1) Dated 2011 ?

This document is intended to describe how the UEFI secure boot specification can be implemented to interoperate well with open systems and to avoid adversely affecting the rights of the owners of those systems while providing compliance with proprietary software vendors' requirements.

I never said there was any difficulty in allowing a secure boot switch.
This is aspirational and for those who care ...... MS vendors do not care (for the most part) about other uses of the their hardware.

2) Dated 2012
I remember reading about this at the time, but I have not seen anyone referring to using it in the meantime.
Have you used this?
Does it require a means to turn off Secure Boot in BIOS/UEFI?
How would the absence of such an option affect its use?


3) MS stuff

Also, there is to note that disallowing to turn off the secure boot could be a shoot in the feet for themselves, (MS), because some firmware shipped with some hardware may not be signed it will not be allowed run. (link 3).

What it will do is ensure that their old OS versions will not be able to run on the hardware.
This is very desirable for MS ..... if they could force people to update their OS they would. It appears to me they have tried and succeeded with most non-commercial users.


In any case we have not seen any hardware yet so we do not know if this will happen.
What I was pointing out was, it could be a disaster, IMO, for those of us who reuse older hardware rather than throw it in the recycle pound.

MS mobile devices with no secure boot switch ..... are there reports of other OSs being installed on them?

I haven't heard about it, but it would be interesting to find out ......

of course, but tell me how they could suggest to "turn off secure-boot" when they required that it should not be an option.

We seem to be at cross purposes.
Up to the present time, MS specified that secure boot could be turned off.
Your reference dates from back then.

The latest (as reported) spec from MS does not have that requirement, so any reference to turning it off is not relevant to the new spec.

The Linux Foundation PDF file makes interesting reading, although that too is a little dated.
It is aspirational ..... it points out how correctly implemented UEFI could be used by various means to install open operating systems.
There is no requirement apparently that all motherboards manufactured comply with those aspirations.

MS has provided specs for those who want MS approval (all OEMs?)
The manufacturers have no need to include a secure boot user switch for Win 10 approval. In truth MS would probably prefer it that way.
OEMs will try to please MS.

It will be interesting to see Win 10 hardware from the likes of Dell, HP, etc. to determine if there is a secure boot switch present.

If not then we know which way this is going .....

ASX wrote: »

The same slide from arstechnica link state as a MS requirements, compliance to: UEFI 2.31,

The Linux Foundation refers to it as 2.3.1c in their 2011 pdf

Because the latest UEFI specs are 2.5, a version 2.31 doesn't exists, they clearly refers to version 2.3.1.

(see uefi.org website for details.)

Well, if the word "compliance" means something ... to me it IS relevant.

What then would be your interpretation of MS not requiring the presence of a secure boot 'off switch' for their Win 10 approved hardware?

You would not see that as 'an invitation' or 'an encouragement' to their vendors to omit it?

If MS wanted 'strict compliance' rather than general compliance would they have any reason to mention it?

The MS history regarding specifications is not comforting

ASX wrote: »

You are driving me on a mined field.
My interpretation is that OEM are free to choose it or not depending on products ... as I already wrote I see use cases where secure-boot would be welcome.

Ah yes ....... OEMs freedom to choose.
We have all seen how that works when dealing with MS in the past.

It seems you are inclined to agree that there is a danger that OEMs will omit the secure boot switch in hardware for Win 10.
It is obvious now that this would be desired by MS.

That is the situation that prompted my original post ..... and the consequences of that decision, should it be taken.

Yes, there are a few specialised areas where a locked hardware would be beneficial .... but not on consumer products .... at least not from the consumer viewpoint.

ASX wrote: »

First, I do not consider secure-boot a danger ...

Nor I.
I think you need to read again what I wrote to get what I meant.

second, if MS would liked to have secure boot switch disabled on desktop, I don't see any reason why they would not ask for, it is their right to ask what requirements they like to allow the use of their certifications.

They cannot as it would be anti-competitive due to their market share.

They requested to remove the switch for "mobile" platforms ... they didn't for "desktop" platforms.

They had no real presence in that market so their specification did not adversely affect others in the market.

Most likely the main reason of our different views is due to fact I think secure boot doesn't prevent the use of open systems while you think it will be an obstacle to open OSes adoption.

You seem to have completely missed the point of all my posts on this ....... the absence of a secure boot switch (to allow the user to turn it off as is presently the case) is the danger I see coming in the future.

I agree that secure boot imply to update the currently used boot loaders ... but the secure-boot support is already there and more extensions will come in the near future.


Sorry, it seems that you are implying something which is not true at my eyes ... secure-boot doesn't equal locked down hardware ...

It is true that secure-boot is another little barrier that each distro need to overcome at some point ... most likely is also an additional difficult for small teams and individuals, ... it is also true that there exists bugged UEFI/secure-boot implementations out there ... but it doesn't imply open systems are locked out.

If the user cannot turn off secure boot, that seriously limits what can be done by an individual who might inherit the hardware.

~~~

/joke mode on/
do not worry much, systemd will take care of of secure-boot too :):)
/joke mode off/