Sounds like the same anti competitive behavior that MS was punished for two decades ago. Making it a requirement to only boot software approved by them excludes a whole range of competitors from using the same hardware. Making that a condition for OEMs to even get a license is the problem here.<p>Lenovo is otherwise known for supporting Linux on their laptops. And yes I know you can jump through hoops and fiddle with scary (for ordinary users) bios options to "fix" this. The point is that you shouldn't have to and this is a bit too convenient for MS to keep competitors off laptops.<p>Basically, what is needed here is a neutral certificate authority not controlled by a single company with a reasonable process for independent operating systems to get a certificate.<p>I recently ran into this trying to boot linux on my old imac. Ubuntu actually works but forget about arch, manjaro, and a whole lot of other distributions. Imacs have no off-switch for secure boot that I know off.
Digital-locks like UEFI signing have a singular flaw, in that it only truly offers security to the people holding the signing keys i.e. a firm that did not pay for the computer, shouldn’t be tying unsolicited services to other peoples businesses, and should be classified as an adversarial threat vector.<p>If Libreboot wasn’t such a pain to install, it would have saved a lot of grief.
Non-Cloudflare-captcha link: <a href="https://web.archive.org/web/20220712083007/https://mjg59.dreamwidth.org/60248.html" rel="nofollow">https://web.archive.org/web/20220712083007/https://mjg59.dre...</a><p>("Please stand by, while we are checking your browser... Please turn JavaScript on and reload the page." No thanks.)
<i>> Given the association with the secured-core requirements, this is presumably a security decision of some kind. Unfortunately, we have no real idea what this security decision is intended to protect against.</i><p>Isn't secure boot attempting to protect against 'evil maid' attacks?<p>After all, the evil maid can come in on Day 1 and insert a bootable USB stick which boots a linux distro customised to look like the normal Windows boot and save your password when you enter it; then on Day 2 boot the computer normally and use that password.<p>If you want to protect against that, you need password-protected BIOS settings to enable/disable booting third-party code.<p>(Personally I see adopting the TPM as a fool's errand - I don't think it can ever deliver on its promises)
As shitty as it is, it's nice of Lenovo to at least make it easy to enable the second CA. I wonder if all OEMs will be as "nice", or if any will require you to boot into Windows just to edit the EFI variables to add the second CA.<p>Edit: Also, I've read a few horror stories of systems no longer displaying anything after the UEFI CA was removed from the trusted CAs, because there was no iGPU and the discrete GPU required an OpROM. No display meant no way to boot into the UEFI firmware to revert that change or even disable SB. How is that not a problem now?
We're now at the final stage of conspiracy theory damage control with respect to the idea that Microsoft is trying to lock down the PC platform and prevent non-Windows operating systems from booting:<p>1. It's not happening, I don't know what you're talking about, anybody who believes that has been radicalized by Russian propaganda<p>2. Well, yeah, maybe it is happening here and there, but it's no big deal, and it's certainly not through a coordinated effort on our part<p>3. Yes, it's happening, it's been happening all this while, and here's why it's a good thing <-- we are here<p>We all will have to reckon with the fact that general purpose computing is going bye-bye. The interests of OEMs and ISVs in delivering a safe, consumable experience to end users are aligned against allowing unsigned, unapproved software from running. And yes, the OEMs, ISVs, and probably most of the consumer market will believe that this is a good thing. The next big thing is remote attestation: the internet will simply stop working properly on your machine unless it can prove that it is running an approved OS and application stack.
This seems to be MS's response to a rather serious mistake in GRUB2 - a howler, I'd say.<p>I've never liked GRUB2 much. The configuration seems to freely mix executable code and data, which makes me tremble at the prospect of altering it. And I find it much harder to understand than GRUB Legacy (and that's saying something).
I do not want to ever use Microsoft software, why do I need a Microsoft certified key to use my own hardware?<p>Big question is how do Microsoft get away with this bullying of hardware manufactures, probably the fear of losing business.<p>What can we do to stop this?
The worst problem is that people are (even in the other discussion thread here on HN) still claiming that we are scaremongering. Back when all this Secure Boot was announced, we already said that its main purpose seemed to be to make booting of non-MS operating systems more complicated, rather than security enforcement.<p>"But, you're scaremongering! See, I put this Debian USB pendrive and I can still boot it fine!"<p>This was because Debian (and many other distros) went, at some point, through MS-enforced hoops in order to get their bootloader signed. Quite a perilous situation in which MS was this "steward" of the entire PC OS ecosystem; whether a Linux distribution booted or not on PCs was practically at the whim of MS. That was at least better than the alternative (no booting -- since MS got away with SecureBoot anyway) and we have to thank people like mjg59 for it.<p>Now, your Debian pendrive will not boot on this Lenovo PC, even if MS-signed.<p>"But, you're scaremongering! See, I put this Debian USB pendrive in, hit F1, hit cursor down three times, tab, down five times, space, F12, and I can still boot it fine!"
Does this reflect the same sort of issues in the browser password protection space, i.e. Since last year chrome by default links to google password protection in short words you have to do extra steps to link google accounts to non-google Chrome browsers.<p>They say security but there is an underlying Elephant in the room concern that keeps rearing it's head.
<i>The apparent secured-core requirement for 2022 is that [...] out of the box, these systems will not boot anything other than Windows.</i><p>I don't see how anyone can look at the history of Microsoft and not immediately judge this as being completely anti-competitive in nature.
>But unfortunately the 2022 requirements don't seem to be publicly available, so it's difficult to know what's being asked for and why.<p>Where can we find the full requirements for a device to be Secured-core?
TLDR: So essentially, if the Lenovo laptop does not allow to boot on linux (or anything that is not Microsoft sanctioned) by default without a modification of the boot options, this is not because of Lenovo but because, in order to be certified by Microsoft, Lenovo has to comply with a set of rules that are not public and as such, impossible to follow for non-Microsoft entities.<p>Edit: So, as Arnavion commented right below, my TLDR is incorrect inasmuch the fact that Microsoft requirements are not public only prevent us to understand why this change was made.
At what point will mjg59 be willing to write the whole thing off as the anti-Linux measure that most open source fans have realised it is for a decade or more?
Kindof off-topic, but…<p>> whenever a signed object is booted by the firmware, the trusted certificate used to verify that object is measured into PCR 7 in the TPM.<p>Is there a list somewhere of what each PCR is generally used for? I’ve had difficulty finding the information through Google searches.
Recent and related:<p><i>Lenovo shipping new laptops that only boot Windows by default</i> - <a href="https://news.ycombinator.com/item?id=32023868" rel="nofollow">https://news.ycombinator.com/item?id=32023868</a> - July 2022 (388 comments)
Why is this being moaned about because of one bad machine _again_.<p>As much as i love to lay into Microsoft I see little reason to yet, other than speculation and corporate bad practice brought on by massive corporate incompetence, no grand conspiracy…