You are correct, I meant free software.

Yea, and also those who want SteamOS.

I'm quite glad that there are still vendors like Dell that ship with Linux preinstalled. Although there is still an issue in that it could in theory end up not being able to switch or even upgrade distros. It's not very likely, but if there's no option to disable it and custom keys are refused, installing things like Gentoo wouldn't be possible...

Windows-Boot?

Holy crap, he is right.. I had no idea microsoft had tried to do that, but I found and read the wikipedia article about it here: https://en.wikipedia.org/wiki/Next-G...Computing_Base

It shows that microsoft has a strong intention and long-term goal of locking down and controlling computers (x86, ARM, any thing)..
They lost the Palladium battle so far, but they have not lost the war yet.. They are now trying to implement it again, especially with "secure"-boot.. Don't be fooled in to thinking that it is mere coincidence that "secure"-boot makes it increasingly difficult to boot any thing except microsoft-created operating systems..

I am tired of seeing people say things like "microsoft isn't so bad" and making excuses for microsoft, when their actions have always been obviously towards taking dominance of every computer and forcing every one to use windows, by any means necessary..


Also, as for the recent decision with windows10 certification to let the OEM choose whether or not to lock "secure"-boot ON PERMANENTLY, some people are arguing: "It is the OEM's decision! Microsoft has done nothing wrong! Windows8 required SB to have a user option to disable it. Now microsoft is removing that requirement. How can microsoft be at fault for giving OEMs MORE freedom by removing that restriction??"

Well, I will tell you how it is microsoft's stupid fault: Microsoft is requiring OEMs to put SB on to their motherboards (if they want MS certification), right?.. And it has to be ON by default.. The only reason microsoft stipulated a user option to disable it (for windows8 cert.) was so that people didn't freak out, and gave time for people to get used to it.. The fault of microsoft is requiring "secure"-boot at all..

Let me give you an analogy to help you understand:
First week: You give people some guns, but tell them "You aren't allow to shoot them!"
Second week: Now you tell them "I am removing the restriction of not being allowed to shoot. But you still have to have a gun at all times."
On the second week, some (but not all) people start shooting other people..
Police question you about it.. You tell them "It isn't my fault, I just gave them more freedom by removing the shooting restriction."

Do you kind of understand the situation now?.. In that analogy, even though it *supposedly* isn't your fault, even though no deaths occured on the first week, suddenly lots of deaths occured on the second week..
This is because you actually gave them TWO restrictions on the first week (1: Have to have gun. 2: Can't shoot it), but then removed ONLY ONE of the restrictions on the second week..

Do you see how this correlates to this predicament with microsoft?..
Windows8: Microsoft imposes TWO restrictions: 1: Must have "secure"-boot. 2: User must be able to turn it OFF.
Windows10: Microsoft removes restriction #2 but NOT #1.

So no, it isn't JUST the OEM's fault.. The OEMs must STILL incorporate "secure"-boot because microsoft demands it (for a certification), and many of those OEMs might decide that it is financially cheaper to lock SB boot PERMANENTLY ON because it would make the UEFI code simpler..

If OEMs REALLY had complete freedom, they probably never would have added "secure"-boot to their firmware at all.. You would still see OEMs that don't have it in their UEFI at all.. But for some weird reason, after microsoft requires "secure"-boot for their certification, suddenly all OEMs have it in all of their firmware.. Coincidence? Did all OEMs just suddenly decide they love "secure"-boot so much they want to put it in every thing?..

And remember, like I said in my other post: microsoft originally tried to make the windows8 certification require the SB always be PERMANENTLY ON, and that no user can turn it off.. But they only backed down (temporarily ) because of the back-lash.. But don't think that they have given up.. They are just going about it more slowly now so that people don't get upset from too big suddenly movements.. If you move slow enough, you don't cause waves..


In summary:
If you require that all people have guns, some people will shoot them (and some won't of course)..
If you require all cats to have cat toys, some cats are going to use them..
If you require all teenagers to carry cyanide pills, some will end up using them (if they are depressed, angry, had a really bad day, etc)..
If you require all OEMs to have "secure"-boot, some of them will make it permanently ON if they deem it cheaper or easier..

But microsoft is still the one forcing stipulation #1, NOT the OEMs.. So quit aruging that microsoft is innocent, and that all OEMs are suddenly evil for some odd reason..

Good old BIOSes from 386 era already had secure boot,that was actually secure. They had that MBR protection. The BIOS just hung the machine if MBR was manipulated at any time.

So how hard was it to calculate some MD5 sum and display it in boot screen*. User then compares it to its own, acknowledges this entry and locks it. At this point machine refuses to boot this entry, if it was to modified. And user has full control what he boots. He can even disable the feature. Just like good old MBR protection that nobody really used if they didnt care for it.

But first this Paladium crap with TPM, then UEFI bug and documentation bloat, and now this. This is far to complex to mean "security" for a user. Its a security for not-user, the reason its so complex and taking so long to slip in, is because actual user should not get attention of it until its too late, where he has to face the consequences himself. And ideally... there is no one to blame. Which is exactly the fall with OEM-MS responsibility ping-pong.


So a good thing to do, is for some OEM to please partner with Valve to create an independent hardware certification company. No one is really demanding open hardware, but I am very sure people do demand hardware that gives THEM the power to decide what they let their machines execute.

Ya, you probaly won'e stop things like shim that let you enroll additional keys at boottime with shim, or with other keys pre-enrolled, but the biggest issue with secure boot locked on is that you can't not trust whatever malware anyone can induce microsoft to trust by force. The NSA could force microsoft to sign a UEFI keylogger module or a modules that forces system management mode to scrape keys from bitlocker or LUKS (in fact they probably already have).

You can't actually be secure unless you can choose who not to trust.

At the moment chromebooks actually provides the best option to build your own trused FLOSS stack from firmware to userpace. You have to dissassemble your machine move a few jumpers around, generate certs and comiple a bunch of stuff, but it's at least possible.

The required the ability to turn it off since they were also still selling and supporting Windows 7.

Moving forward they don't need this support, and therefore it is not a requirement.

No UFO cover-ups here.

This discussion is not about UFO coverups.

It's about a coorporation trying to lockdown our hardware by forcing their version of "trust" down our throats.

After reading through many similar reports on various sites I'd like to ask a question to anyone who is in the know: given that this plan comes to fruition in its worst possible version (as in "Microsoft makes secure boot optional, then buys OEMs' desire to remove the off switch completely by discount promises or threats" - I know some people dismiss this as silly but I think it's silly not to account for this eventuality, especially since it's M$ we're talking about), I'd really like to know what exactly is being labeled as "Microsoft certified" - only OEM-built personal computers or individual hardware components as well (read: mobos)? In other words, I'd really like to know if this potential lockdown is only true for pre-built computers that have the "Windows 10 certified" label on them, or if it's possible to buy a motherboard (when building a PC yourself) and be screwed because the said mobo has the Win 10 label and happens to have no off switch for Secure Boot. I'm *assuming* that it most likely affects only the OEM-built personal computers, but what has me worried is that I've seen (more than once) some motherboards that had e.g. "Windows 8 ready" written on their boxes, and their initial UEFI setup was a bit strange - for instance, some Asus motherboards I've dealt with that had the aforementioned "Win 8 ready" label did not have the "Secure Boot On/Off" switch, but instead they had the "Operating System: Windows (UEFI) / Other" switch which acted the same as the On/Off switch. It's practically as if those motherboards were already intended to be used with Win 8 and as such were preconfigured with use with that particular OS, labeling everything else as "Other". So, *that* is what I would like to know - provided that I don't buy prebuilt desktop PCs (which I pretty much never did and don't intend to do), will I be OK or will I have to be selective with individually bought motherboards as well? Does anyone know?
Thanks in advance.

I've read the discussion.

The subject is a change in one vendors commercial requirements of equipment manufacturers that run their particular software.

The discussion is about conspiracy, fear, outrage and woe.

Better to fear than to regret.
Better expect conspiracy than have blind faith.
Better to woe that to be in despair.