OEMs Allowed To Lock Secure Boot In Windows 10 Computers

Scheller

Forum Sage
May 9, 2006
7,675
29
48
Texas
#1
Ugh, really hope Microsoft goes back to their 8/8.1 ways.

Those of you with long memories will recall a barrage of complaints in the run up to Windows 8's launch that concerned the ability to install other operating systems—whether they be older versions of Windows, or alternatives such as Linux or FreeBSD—on hardware that sported a "Designed for Windows 8" logo.

To get that logo, hardware manufacturers had to fulfil a range of requirements for the systems they built, and one of those requirements had people worried. Windows 8 required machines to support a feature called UEFI Secure Boot. Secure Boot protects against malware that interferes with the boot process in order to inject itself into the operating system at a low level. When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures, and the UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.

This is a desirable security feature, but it has an issue for alternative operating systems: if, for example, you prefer to compile your own operating system, your boot files won't include a signature that Secure Boot will recognize and authorize, and so you won't be able to boot your PC.

However, Microsoft's rules for the Designed for Windows 8 logo included a solution to the problem they would cause: Microsoft also mandated that every system must have a user-accessible switch to turn Secure Boot off, thereby ensuring that computers would be compatible with other operating systems. Microsoft's rules also required that users be able to add their own signatures and cryptographic certificates to the firmware, so that they could still have the protection that Secure Boot provides, while still having the freedom to compile their own software.

This all seemed to work, and the concerns that Linux and other operating systems would be locked out proved unfounded.

This time, however, they're not.
http://arstechnica.com/information-...ke-the-secure-boot-alt-os-lock-out-a-reality/

It's not difficult to imagine Microsoft doing incentives for OEMs willing to lock secure boot, or the OEMs themselves selling locked/unlocked ones but at different price points (that second bit is what I expect to happen, retailers charging a lot more for the option to turn Secure Boot off). Granted many people around here won't have problems as they custom build desktop PCs, but you can't exactly do the same for laptops (which is where this would affect me).

Of course, it doesn't completely rule out installing Linux on those "locked" machines.

Should this stand, we can envisage OEMs building machines that will offer no easy way to boot self-built operating systems, or indeed, any operating system that doesn't have appropriate digital signatures. This doesn't cut out Linux entirely—there have been some collaborations to provide Linux boot software with the "right" set of signatures, and these should continue to work—but it will make it a lot less easy.
The way I understand it, Microsoft could no longer supply signed bootloaders and stop anyone from installing Linux on the machines with Secure Boot enabled. With 8/8.1, Linux Foundation had to release a "convoluted" workaround before Microsoft finally signed their bootloader.
 
Last edited:

darky89

Forum Sage
Dec 3, 2007
8,060
97
48
In the bushes.
#2
At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.
The presentation is silent on whether OEMS can or should provide support for adding custom certificates.
I think you're right. We'll probably be seeing computers with an OS switch costing more than a 'locked' system.
 

Scheller

Forum Sage
May 9, 2006
7,675
29
48
Texas
#3
[QUOTE="darky89, post: 6432266]I think you're right. We'll probably be seeing computers with an OS switch costing more than a 'locked' system.[/QUOTE]

I promise I'm not just digging at Microsoft here, this is just the only example I could find. At their Microsoft Stores, they would sell "Signature" models of their laptops for $100 more that didn't have all the bloatware/shovelware installed. I wouldn't be surprised if places like Dell did the same, and it's basically along the same lines as paying to have an unlocked computer. It's also like what Apple does with the iPhone, where you can buy the unlocked version to use whichever provider you want.

From what I've seen, many have called the benefits of Secure Boot insignificant and it would force Linux distros to pay Microsoft money in order to get a signed bootloader (some were already forced to pay Microsoft for them on Windows 8/8.1). In Europe, Microsoft was sued for Secure Boot's anti-competitiveness and in some countries, the option to turn it off in 10 will be mandatory because of their laws.

I'm just hoping there's enough backlash that they once again decide not to follow through with this.
 

MATRIX 2

Forum Sage
Jul 29, 2005
8,554
109
63
D.C.
#4
[QUOTE="ttech10, post: 6432342]I promise I'm not just digging at Microsoft here, this is just the only example I could find. At their Microsoft Stores, they would sell "Signature" models of their laptops for $100 more that didn't have all the bloatware/shovelware installed. I wouldn't be surprised if places like Dell did the same, and it's basically along the same lines as paying to have an unlocked computer. It's also like what Apple does with the iPhone, where you can buy the unlocked version to use whichever provider you want.

From what I've seen, many have called the benefits of Secure Boot insignificant and it would force Linux distros to pay Microsoft money in order to get a signed bootloader (some were already forced to pay Microsoft for them on Windows 8/8.1). In Europe, Microsoft was sued for Secure Boot's anti-competitiveness and in some countries, the option to turn it off in 10 will be mandatory because of their laws.

I'm just hoping there's enough backlash that they once again decide not to follow through with this.[/QUOTE]

From what I've seen of the online store, the only computers microsoft has listed are signature computers. There aren't any non signature computers.
 

Scheller

Forum Sage
May 9, 2006
7,675
29
48
Texas
#6
give them the "Signature" treatment [/URL]of installing just the base OS. It's hard to do a meaningful price comparison since their store only sells the Signature edition, but PC World did state they found one instance of it being $30 less. That's a pretty reasonable price compared to the $100 for customer walk-ins, but when you have Best Buy doing "optimizations" for $40 where they really only delete some shortcuts and install updates, it's clear that some companies will nickel and dime people, and I'd rather not have the Secure Boot option being locked/unlocked be another way they can do that.