Rich Mingin (PLUG) on 17 Oct 2016 13:24:55 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux Laptop

When Windows 8 went gold, the logo requirements required UEFI support and Secure Boot be present/available.
When Windows 8.1 went gold, the logo requirements required UEFI support be ENABLED, and Secure Boot be ENABLED, but specifically required all x86/x86-64 machines have an option to disable.
When Windows 10 went gold, the logo requirements require UEFI be present and enabled, and Secure Boot be present and enabled. The disable-able requirement is specifically omitted.

It's not illogical to conclude that the next update to the Windows Logo requirements will specify that Secure Boot be present, enabled, and not able to be disabled by the user.

Learn how to generate and use MOK keys now, while it's still fairly easy to back out of mistakes. Your next PC may not be as friendly. If you generate your own MOK certs you can sign any binaries you'd like.

On Mon, Oct 17, 2016 at 3:46 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Mon, Oct 17, 2016 at 3:26 PM, Greg Helledy <gregsonh@gra-inc.com> wrote:
> I am hoping that somewhere there will continue to be laptops made that allow
> secure boot to be turned off.  It would be an opportunity for a no-name
> manufacturer to capture a significant (for them) amount of sales, by being
> the only brand you can still install linux on.  Even if that means they
> can't buy OEM Windows licenses or sell their machines as "certified for
> Windows X".

Well, MS does not require that secure boot be impossible to disable,
so having this feature does not in any way eliminate the ability to
certify the machine.  I'd think that manufacturers would want to keep
the feature simply because some people care about it.

However, as long as MS continues to sign alternate bootloaders it
actually is a relative non-issue.  I believe MS is willing to sign
them as long as they require user interaction when changing what OS is
booted.  They just don't want these shims to be able to be installed
to silently allow a MITM with arbitrary code.  And, as a PC owner, I
don't particularly want my PC running arbitrary new code without
telling me about it anyway.

> Or is secure boot so controlled by the handful of BIOS manufacturers that
> even a small PC maker won't be able to circumvent it?  I'm obviously
> ignorant of the PC manufacturing market.

Whoever makes the motherboard can make the firmware do whatever they
want it to do.  They usually buy the firmware from a 3rd party and
this sort of thing can be configured before it is flashed.  I don't
really know of any "small PC makers" that make motherboards though.
There are a million mom and pops that throw common components in a
case, but they wouldn't have any control over the firmware other than
what they get by choosing a motherboard.

I can't see standalone motherboards ever not allowing you to choose
your own OS.  Who even buys them but the sort of people who care about
such things?

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug