Windows 10 to make the Secure Boot alt-OS lock out a reality

This is very concerning. I can imagine a future where only the "premium" hardware has the option to disable secure boot, ensuring lower grade consumer machines are permanently locked in to the Windows ecosystem.

The slide the have, also says that on mobile devices it <i>must not</i> be possible to turn off secure boot. Which on the one hand, can probably help make them less desirable to steal; but on the other hand, means no playing with non-MicroSoft OSes on those devices.

Hm...<p>First, the slide shown in this article says &quot;allow end user to turn off&quot;. It says nothing about &quot;allow end user to add his own keys&quot;. If the end user can add his own keys, the end user can still bypass this mechanism; it&#x27;s just a bit more complex and annoying.<p>Second, even if the firmware doesn&#x27;t allow the user to add his own keys, there are bootloaders like SUSE&#x27;s shim which are signed by Microsoft and allow the user to add his own keys for the next step (see <a href="https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_uefi_secboot.html" rel="nofollow">https:&#x2F;&#x2F;www.suse.com&#x2F;documentation&#x2F;sles11&#x2F;book_sle_admin&#x2F;dat...</a> for instance).<p>Of course, I wonder how long until shim doesn&#x27;t work anymore (either by having its signature revoked or by Microsoft migrating to a new root key and not signing shim with it). Who knows, these Windows 10 requirements might already be using a new root key, instead of the one the shim bootloaders were signed with.<p>If end-users cannot disable secure boot (or add his own keys), they won&#x27;t be affected at first, since the most popular Linux distributions have a signed bootloader. But when in secure mode, you can&#x27;t boot your own self-compiled kernel, and often you can&#x27;t even load unsigned drivers. This makes it harder to debug kernel issues (since you can&#x27;t compile and install a modified kernel), and makes it hard to develop drivers for new hardware.

The <i>WORST</i>. Imagine if MS had had the foresight to do this back in 91. No Linux.

It is worth noting that Fedora, OpenSuse, and Ubuntu all support Secure Boot. However this would limit true &quot;indie&quot; distro&#x27;s and OSs who likely couldn&#x27;t get a signing key.<p>I will say the whole way Secure Boot was done (essentially only having a single signing authority: Microsoft) was highly flawed from the get go. There was some talk about allowing the free software foundation to sign keys, what happened to that?

I wonder whether bookies would accept a bet on Windows becoming open-source within 5 years?

As a Linux user sine 1992 (Slackware), I have a probably unpopular opinion on this. I feel that security problems are getting so severe that I can live with Ubuntu and other distributions having to jump through some hoops to support secure boot. We need a way to get small distros also compatible.

Very annoying. Someone should sue MS with an antitrust case.