This is a bunch of MS

This is all part of microsoft's evil master plan.......seriously, it really is..

Did you know that initially microsoft wanted a requirement for windows8 to be that secureboot is LOCKED ON PERMANENTLY and IMPOSSIBLE to turn off?.. Yeah......But every one was so out-raged that microsoft rescinded that stipulation (for now)..

Basically, it is the frog in boiling water tactic: If you alter things too quickly, people get out-raged.. So instead, you have to take it one slippery step at a time..

Certification Stipulations for OEMs:
the past: secureboot not required at all. You've always been able to run linux freely.
windows8: Require secureboot. Require it to be ON by default. Require option for user to switch it OFF if they want to (so public doesn't get outraged).
windows10: Require secureboot. Require it to be ON by default.
future?: Require secureboot to be ON PERMANENTLY with NO OPTION to disable it. (This is already what microsoft tried to do with windows8, but people got pissed and microsoft backed down for a while.)

It is fairly obvious that this is microsoft's end game and the sole purpose that they introduced the whole idea of secureboot in to the UEFI system, because secureboot is fixing a problem that was essentially non-existant. How many viruses have you heard about lately that try to attack boot-loaders?.. Do you think this thing that microsoft is pushing for so hard (secureboot) is because they suddenly care about security for this one possible (but rarely attacked) attack-vector?? Do you think it is just coincedence that secureboot happens to increasingly make linux more and more impossible to boot?.. Do you really think microsoft is suddenly acting different now than they always have in their whole past history?..

Some people say "No worries, I won't buy a computer that I can't disable secureboot on".. Well, that is good for you, but what about situations where you are trying to convince a friend/family-member that wants to try linux?.. "Sorry mom, your computer doesn't let me turn off secureboot, so you just have to keep using windows".. Poor mom won't have a chance to even try linux, and she isn't going to buy a new different computer just to try linux.. It is easier for her to just keep using windows like microsoft wants..

The name "Secure Boot" already can have an affect on friends or family members convinced to try linux..:
You: "Come on grandma, just try linux for a month and see if you like it!"
Grandma: "I'm not sure billy, is it safe?"
You: "Yes, it is much safer than windows is."
Grandma: "Hmm, I suppose you can install it."
You: *Tries to install* "Oh crap, I can't install it. You need to change a setting in the UEFI thing."
Grandma: "Hmm? Which setting?"
You: "I need to disable Secure Boot. Linux can't install with Secure Boot enabled."
Grandma: "Disable security? That sounds really suspicious billy....I'm not sure I want to try this linux thing after all."
You: "Come on! It is safe!"
Grandma: "Billy, I just have a bad feeling about all this, I am going to stick with windows I think, sorry."

This also emphasizes a very ironic contradiction also: You are ENABLING *secure*-boot to boot windows (a giant living attack-vector), yet you have to DISABLE secureboot to be able to boot some thing MORE secure. Does that make much sense??.. (Short answer: Nope)


Some people are saying "Well, most of the linux distrobutions should be able to get a key required to boot"..
Well then, what about people that compile their own stuff, or smaller less-powerful distros? And, I think it is really messed up that you have to PAY MICROSOFT so that THEY can decide to give you the PRIVILEGE to run LINUX.. Sounds like the computer version of 1986..

And, even if most of the major linux distros are able to obtain permission for some keys, what about times when you need to use a boot-disc to rescue some one's computer?.. What if you need to use gparted live disc to fix grandma's hard-drive partitions?.. What if you need to use a live USB stick of puppy linux to edit some files on your uncle's computer so that his windows10 boots properly again?.. The only way you could "fix" a broken windows installation on a secureboot-always-on computer is to use the damn windows installation disc, and try to use window's crappy useless recovery tools or either just reinstall the whole windows OS from scratch again.. Great options..

What if the FBI come to your house and you pop in your Dan's Boot And Nuke disc to try to securely wipe your whole computer, only to find out UEFI won't boot it because it doesn't have a key issued by microsoft?.. Do you really think microsoft would ever issue a key for DBAN? (Short answer: Nope)


Why don't normal users have a say in how UEFI progresses?? Or how hardware progresses??.. Gosh darn it, this is supposed to be the future!.. It is high time that users take control of their own hardware and software.. Linux helps people do that as much as possible, but we need a TON more development in to lower-level things like coreboot and open hardware.. I would love to see some thing like a huge open-hardware initiative start, maybe on some thing like kickstarter or one of those types of sites.. Don't bite off more than you can chew....Just start with a basic open-source motherboard.. If it is successful, you can progress from there.. (Just an example)..

I am sick of microsoft's seemingly-eternal reign.. They are already obsolete, and just running on the momentum from when they used to be big and back when linux sucked.. And I know microsoft will eventually fall, but I would love to do any thing in my power to make that happen as fast as possible..

Secureboot was ms answer to mac as they didn't like bootcamp to boot windows? Well if Linux gets a key I'm optimistic, but pessimistic for dualboot Macs. But I might be wrong as I have no Mac.
Anyway, as I build my PC from parts, I should be able to avoid problems in the future?

Desktops probably. It's quite unlikely that board makers will remove the option to disable SB.

Notebooks will be a problem. Either go shopping for notebooks that retain the feature, get notebooks from a Linux OEM or, if the option to load your own certificates into the SB database is still available, create and enroll your own certs, then self-sign your kernels.

That's not really an option. I have to boot linux on various PCs everyday. But you're right, it's probably gonna be worse on laptops and notebooks.

Seems I'm gonna be selling more laptops and motherboards when it turns out that it isn't possible to repair windows anymore.

Oh neat, this'll be like a litmus test of who is actually smart on these forums or not.

It's quite simple, either you start caring about who manufactures your hardware, the quality of said hardware - and holding them to a basic standard of features and implementation quality, things might actually move forwards for a change.

But nah, I'm sure the 99% gormless FOSS community will spend more time impotently raging about Microsoft then actually doing something useful for a change in their otherwise sad, pathetic GPL leech lives.

Plus it may be a good point to sell more RedHat Workstation copies on.

At least our machines will be functional. Meanwhile yours will be fucked with nothing you can personally do about it.

You don't seem to understand that the -entire- point of Secureboot is to fuck over the PC repair industry. MS doesn't want a repair industry at all. That's the entire point. They don't want windows to be repairable.

Don't get me wrong: I think it's a nasty move from Microsoft.
Yet I see a scenario where this might turn out good for Linux: proprietary drivers. Most distros now ship with their own Microsoft-issued certificate that allows them to work fine with SecureBoot on. This of course doesn't extend to 3rd party drivers that are not signed. I'm forced to use the Broadcom STA driver for the wireless chip on my laptop, and if I enable SecureBoot the driver just won't load. Right now I just have to turn it off and everything's fine, but if I didn't have the option, that would also put Broadcom in the unpleasant situation of not being able to support linux on Windows 10 hardware, and this might be a push towards open-sourcing the drivers. Unless, of course, some distro does the stupid move of signing proprietary drivers (I'm looking at you, Ubuntu...).

Any thoughts about it?

P.S. yes I'm aware some people might want to run custom kernels, I said it's a nasty move.

Doing dirty jobs by OEMs hands? Nice try, MSsuxx.

I'm unfortunately very well aware how microsoft gets dirty jobs done by someone's else hands. So, nice attempt to derail, but I can see who is mastermind behind this exceptionally evil scheme. So, your attempts to derail are, ahem, silly . And those shameless mumblings about OEMs will not help since I'm somewhat aware how MS does it, e.g. by offering discounts or giving bonus for doing things "right". And obviously MS is interested to remove competitors.

And yeah, I'm not friendly. But only to concentration camp builders like MS and bunch of their nazi-like fellows who believe there should be One OS, One Arch and One Fuhrer and I should be denied freedom to run what I want to and OEM/intel/mssuxx should control my hardware instead. You can be pretty sure: I hate oppressors and I can trace treacherous schemes. Is it anyhow strange? At this point I consider M$ just a bunch of filthy scums who dare to mumble crap about security while taking exclusive control over devices, thanks to Boot Guard and SecureBoot.

P.S. and remember: those who would give up essential liberty to obtain little temporary safety, deserve neither liberty, nor safety.

Microsoft is not mandating that OEMs remove the feature. They only said that if OEMs want to ship a notebook with Windows 10 on it, it must have SecureBoot activated.

Whether or not the option to manage SecureBoot from the EFI menus is left in is entirely up to the OEM. Microsoft clearly stated that they don't care to tell OEMs what they should do with the firmware.


I run a bunch of self-made kernels myself and Im affected, but Im not about to start bitching. If the situation gets worse i will just migrate my entire workflow to Windows and deal with it. My main concern will be the deployment of commercial backup and cloning programs that my company uses.SB has blocked them from working before, and will probably continue to interfere with them. I believe Acronis managed to sidestep SecureBoot by using a heavily customized WinPE image as the base for their backup tool.