https://mjg59.dreamwidth.org/60248.html
After I mentioned that Lenovo are now shipping laptops that only boot Windows by default, a few people pointed to a Lenovo document that says:
"Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default."
"Secured-core" is a term used to describe machines that meet a certain set of Microsoft requirements around firmware security, and by and large it's a good thing - devices that meet these requirements are resilient against a whole bunch of potential attacks in the early boot process. But unfortunately the 2022 requirements don't seem to be publicly available, so it's difficult to know what's being asked for and why. But first, some background.
[...] Given the association with the secured-core requirements, this is presumably a security decision of some kind. Unfortunately, we have no real idea what this security decision is intended to protect against. The most likely scenario is concerns about the (in)security of binaries signed with the third-party signing key - there are some legitimate concerns here, but I'm going to cover why I don't think they're terribly realistic.
The first point is that, from a boot security perspective, a signed bootloader that will happily boot unsigned code kind of defeats the point. Kaspersky did it anyway. The second is that even a signed bootloader that is intended to only boot signed code may run into issues in the event of security vulnerabilities - the Boothole vulnerabilities are an example of this, covering multiple issues in GRUB that could allow for arbitrary code execution and potential loading of untrusted code.
Related Stories
Volume 189 of The PCLinuxOS Magazine has an article on Bill Gates' evil prophecy from 40 years ago where he aims for ending general-purpose computing. He achieves that goal a step at a time over the decades, with the help of many a mole and quisling. Lately, the Pluton chip and Restricted Boot play both play key roles towards ending this era of general-purpose computing. The Pluton chip is an extension of the Trusted Platform Module (TPM) used by Vista10 and required by Vista11. Canonical, the maker of Ubuntu, and even its upstream source, Debian, folded years ago in regards to secure boot by using Microsoft's signing key, possibly cementing that as the norm. The article covers that and many other incidents leading up to the current situation.
There is an ever-decreasing amount of time left to keep general-purpose computing alive and the author signs off with how to approach the political maneuvers going on:
The implications are already starting to show
At the beginning of the year, Matthew Garrett, the researcher who created the UEFI bootloader for Linux (which I do not agree with at all, as it sets a precedent for Microsoft to abuse the market, with its position of power, should not be allowed under any circumstances) said that the Pluton chip was not an attack on users' freedom to use whatever operating system they wanted, which was not a threat.
In July 2022, he recanted, when he was unable to install Linux on a high-end Thinkpad Z13, complaining that this was not a legal practice by Lenovo.
But, that's what Microsoft wants. Under the guise of enforcing security, it blocks the machine's access to the user himself, being the gatekeeper of personal computing. In other words, "my" microcomputer is over. From now on, it will be Microsoft's microcomputer, and only what it allows will run...[sic]
(Score: 5, Interesting) by canopic jug on Wednesday July 13 2022, @02:40PM
Garrett was instrumental in setting up the situation which allows laptop manufacturers to lock out non-Windows operating systems. He has worked hard at it for years, both writing code, blogging, and even trolling.
Now he wants credit for post-11th hour minor grumbling about such lock-in. Sorry, but that's not enough to make good for all the years he has been fighting against general-purpose computing. For years he has been pushing UEFI and restricted boot, making excuses for both when not outright promoting it. Furthermore, he has been active programming in ways which advance both and lead, despite years of warnings, to exactly this scenario with computers that won't boot non-Windows operating systems. There are work-arounds through some of the settings, for now, but as old hardware and old versions of Windoze drop away we get closer to the day those options are removed.
He's been part of the problem and not part of the solution. He's earned the ire of those that know about him and should not be consulted further, at least on this topic.
Money is not free speech. Elections should not be auctions.
(Score: 5, Interesting) by maxwell demon on Wednesday July 13 2022, @02:52PM (16 children)
I just hope that this violates some EU competition regulations.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Interesting) by canopic jug on Wednesday July 13 2022, @03:04PM
It does. But the courts, if they even decide to take up the case, will only move years from now after the damage is quite complete. At least that's how they have worked in the past. We did have a window of opportunity with a case a few years ago, but if I recall correctly Garrett himself wrote some patches to help M$ convince the court that what it was doing was not going to restrict the market.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by Runaway1956 on Wednesday July 13 2022, @03:26PM (13 children)
I'll join you in hoping.
It makes zero sense to me that Microsoft must "trust" anything on my computer. Microsoft doesn't own my computer, and has zero say in what I run on my computer. I don't expect General Motors to "trust" parts that I might replace on my car, I don't expect Microsoft to "trust" anything on my computer.
(Score: 5, Insightful) by Opportunist on Wednesday July 13 2022, @03:31PM (4 children)
Especially considering that, by virtue of experience, I have zero reason to trust MS any further than I can throw their CEO.
(Score: 3, Insightful) by tangomargarine on Wednesday July 13 2022, @07:38PM (3 children)
The Windows 10 forced update debacle was Microsoft burning their last bridge with me. I knew they were a bunch of sleazebags already, but basically *lying to your users* just blatantly takes the Most Unethical Programmer award.
Besides being super unethical, it was also sort of pathetic, that they had to ram a free upgrade down people's throats because they didn't want it.
(I bought my current desktop like 3 weeks before Windows 10 released and am still running 8.1 on the very rare occasions I use that side of the dual-boot).
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Freeman on Wednesday July 13 2022, @08:33PM (2 children)
I've always bought Windows (Insert Version) Professional, because I didn't want the stupidness that comes with Windows Home. That's what's saved me from some of the more stupid Microsoft moves. I.E. Forced Update and Forced Windows Hello Login. Though, they still keep nagging me about it. One of these days, the last straw will be pulled and I will be moving my entire family to Linux. I already got a head start on Dad's machine as I was the one that provided it to him. He also just wanted something to play Civ IV on and now a little browsing. Which is definitely doable on it.
There is only one game that I would like to have run on Linux, but I had serious issues with. Space Engineers. It actually started, but had serious issues running. The Audio was pretty much broken too for whatever reason. I didn't take a lot of time to diagnose it on my last trial run, though. One of these days, it's probably not going to be a trial run. It's going to be me abandoning Windows for good. Because, they don't like technically savvy consumers. That's okay, they won't get my non-technically savvy family members as consumers, either.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by tangomargarine on Wednesday July 13 2022, @10:37PM (1 child)
Ah, a man of culture! :) Personally, I prefered Civ 2 better; the few games I've played of 4 were a bit of a headache trying to wage war on anybody, when the Apostolic College is bitching at you to give back the cities you conquered. Alpha Centauri was great, too.
Oh, this is a *current* game haha. I was going to suggest that you find a Windows 7 ISO online and just throw everything in a VirtualBox instance if it was a 2000s game, since Win7 doesn't actually punish you at all for just not authenticating your copy. Steam game but no Linux build, huh?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Freeman on Thursday July 14 2022, @02:08PM
Yeah, Space Engineers is from a "small studio" as far as I can tell. Which is understandable, with regards to supporting various versions of things. Still would be nice, if it just worked on Linux.
I installed Civilization II on it as well, but he preferred Civ IV. Technically, I believe Civilization IV is a much more polished and less buggy game. Civilization II has inherent issues, but I loved the wonder videos compared to every other Civilization, though I haven't actually played Civ VI. Civilization Revolution was actually quite fun as well. It had all the Civilization goodness with a few interesting mechanics. Kinda wish they'd done a PC port.
Linux is the only modern OS you can reasonably install Civilization II on. You can make it work on Windows 10 with a fan made patch, but it has issues. You can install Civilization II on Linux via Wine/PlayOnLinux and it will work like it was meant to be played.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Insightful) by FatPhil on Wednesday July 13 2022, @03:37PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Interesting) by tangomargarine on Wednesday July 13 2022, @07:33PM (2 children)
I don't either, although it wouldn't surprise me in the least to find out one of these days that they're pulling some John Deere-style shit with hardware whitelists etc. to force you to go to a dealership to get your car fixed.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Freeman on Wednesday July 13 2022, @08:35PM (1 child)
I mean, they're already sort of doing it with Windows 11. We may allow you to install Windows 11 on your unsupported hardware. Pray we don't alter the deal further.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by tangomargarine on Wednesday July 13 2022, @10:32PM
Yeah, but Runaway was going for the classic Green Site Car Analogy.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by fustakrakich on Wednesday July 13 2022, @08:20PM (3 children)
Could void the warranty
La politica e i criminali sono la stessa cosa..
(Score: 2) by Freeman on Wednesday July 13 2022, @08:37PM
Could be illegal to void the warranty.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2, Insightful) by Runaway1956 on Wednesday July 13 2022, @08:41PM (1 child)
Actually, I think that has been hashed out in the past. Car manufacturers were prohibited from voiding the warranty just because you used a non-GM branded oil filter.
With electronics, it's hard to say. They may get away with voiding a warranty if you replace a chip somewhere, with an unapproved chip. States with Right to Repair laws can tell them to pay up, but the rest of us would still be screwed.
(Score: 1, Informative) by Anonymous Coward on Thursday July 14 2022, @02:42PM
In the United States, there is (supposedly) strong consumer protection regarding voiding warranties in the Magnuson-Moss Warranty Act which has been on the books since 1975. It applies to all consumer products, not just cars. A manufacturer cannot void the warranty simply because you replaced a chip -- they must demonstrate that when you replaced the chip, you caused the problem that would otherwise be covered by the warranty.
Of course, with little enforcement manufacturers have been getting away with illegally voiding warranties anyway. It's possible this is changing as the FTC has started targeting some of these issues, although we've seen little in the way of penalties to companies that have been breaking the law for years.
(Score: 5, Informative) by RamiK on Wednesday July 13 2022, @03:33PM
Back in 2013 the relevant commission was asked about UEFI secure boot and responded it's fine since users are able to disable it:
Asked: https://www.europarl.europa.eu/doceo/document/E-7-2013-000162_EN.html [europa.eu]
Answered: https://www.europarl.europa.eu/doceo/document/E-7-2013-000162-ASW_EN.html [europa.eu]
But with this new secured-core requirement going against this, Microsoft is probably violating those articles: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:12008E101 [europa.eu] https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:12008E102 [europa.eu]
compiling...
(Score: 5, Insightful) by Rosco P. Coltrane on Wednesday July 13 2022, @04:02PM (1 child)
needs to have their head fixed.
The company is a giant multi-decade security fuckup. If anybody has zero creds designing anything secure, it's Microsoft.
(Score: 5, Touché) by Ingar on Wednesday July 13 2022, @04:08PM
It's about control.
(Score: 5, Insightful) by tangomargarine on Wednesday July 13 2022, @07:31PM (1 child)
I fucking *knew* this day would come when I first heard about SecureBoot.
Time to get out the torches and pitchforks again.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Freeman on Thursday July 14 2022, @02:13PM
About time to just ditch Microsoft altogether.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"