q.v.

“The definition of insanity is doing the same thing over and over again, but expecting different results”

It sends memories to the old "demoscene" and my guess is that it's what it is supposed to be.

What about current Linux installations with signed key for Secure Boot? I am talking about single boot and not dual boot... Has this been fixed or not yet?

stikonas Can you help me with the process? (links, or advices) would be very helpful...

Is it technically possible for MS to generate a new key and automatically send it out to every PC in the world via Windows update, to restore the boot protection, at least for PCs that hasn't already got a bootkit?

amp3030
Microsoft can send a new bootloader via Windows Update which doesn't accept the Golden Key any more.
But this is not an effective measure because the attacker could simply replace it with the old bootloader again.
They would additionally have to blacklist the old bootloader in UEFI dbx, but that would render all systems/live media/etc. unbootable which haven't upgraded to the new bootloader yet. Or which restore from recovery.

So for all practical purposes, Microsoft has defeated secure boot for good this time.

Just what the heck are you on about with this? You appear to be contradicting yourself.

First off, a lot of high end Android devices employ a secured boot process that is actually *more* secure than secureboot ever was. For instance, Qualcomm starts off with validating the PBL against burned in public key. It then loads the PBL, which validates the next boot loader along the path of SBL1 --> SBL2 --> TZ --> SBL2 --> SBL3 (up to this point, they are all *qualcomm* key verified) --> boot partition (kernel+initrd) (from this point forward, we will be dealing with *vendor* keys, i.e. Google's key in the case of a Nexus), and then THAT even verifies that nobody has tampered with the SYSTEM PARTITION!!!! The system partition verification is performed by dmverity, which returns i/o errors on any data that fails checks. So it doesn't strictly write protect the system partition, but it makes changed data unreadable.

So not quite sure if you are making a joke about putting (in)secureboot on these devices so that you could bypass the much stronger secured boot process on them...?

But I don't really see a big problem with this state of things to begin with. It isn't as if ALL devices are locked down all the way from top to bottom like this. Its mainly just SAMSUCK that is. Just pick something that allows you to disable the signature check at some stage of the boot process. Every device ever sold as a "Nexus", for instance, allows you to disable the write protect and signature check on the boot partition. I think that Sony is also pretty good on this. HTC used to be, but I haven't kept up on their hardware.

Well, that website crashes Firefox, so...

Well, that website crashes Firefox, so...

I still believe that's the case, but I knew that it was going to be a failed attempt. When MS first released Windows 7, they were incredibly proud of how "uncrackable" it was. However, people managed to pirate it before it was even released. Any time MS ever claims something is secure, people effortlessly find a way around it. So whether Secure Boot was "secretly" meant to hinder Linux users or not, I knew it wasn't anything to be afraid of. Thankfully, most hardware manufacturers allow you to disable it anyway.

Depends on your definition of "need". It's a common enough issue that it has a specific name, and a common enough issue that some motherboards and CPUs have hardware designed to detect and protect against it (outside of SB).

First of all, Android is relatively locked down already. There are a lot of things you can't do without rooting it. Second, if you want a legitimately locked-down device, get a Windows phone or an iPhone. Third, I'm not sure how locking down an Android platform is supposed to help you get a "real" Linux distro on it. If anything, that would make it harder to install. But for most phones, installing Linux on them is difficult primarily because of hardware limitations. Most of them are compatible to some degree, but accessing the built-in NAND or dealing with GPU drivers is the real burden.