Ian Smith <ian@???> wrote:

> I had no idea some PCs/laptops could be locked into using Microsoft
> only, to the exclusion of all other OSes.

Yes, this was something raised as soon as the secure boot facility came along and MS mandated it for Win 10.

For a laptop/desktop it’s up to the manufacturer, but for a tablet MS mandates secure boot be on and uneditable. I.e. if you buy a Win 10 tablet then AIUI it’s locked down to only boot something signed with MS’s certificate.

But back to laptops/desktops. To run Win 10 they must support secure boot, and it must default to on. With it on, you can’t boot Linux* as it’s not signed with an MS certificate.
Manufacturers are supposed to allow adding additional certificates (keys) to allow you to boot software signed with a different certificate. In principle that allows you to create your own signing certificate, sign your boot loader, and boot it by adding the appropriate part of your own certificate. Not sure whether this is part of the rules, just not specified, or what.
Also, the manufacturer can choose to allow you to turn off secure boot. If they do, then you can boot unsigned software, but you can’t boot Windows as it will refuse to load.

I vaguely recall that when secure boot came along, this “flexibility” was how MS managed to get it past the authorities who would otherwise probably have opened up an anti-trust or market power abuse case against them. Otherwise, it would fit their past behaviour patterns to have mandated PC suppliers lock everything down if they wanted to be able to sell PCs with Windows.

Like other features** that EFI allows manufacturers to lock down, this is something that you may have to a) try out, or b) study manuals/tech data in depth to figure out.

And it’s something to maintain eternal vigilance over. Given past performance, it’s not hard to imagine MS (and these days, Redhat) quietly shifting the goalposts and “encouraging” manufacturers to further lock down the systems once people have got used to it’s ubiquity.


* I recall that at one time, there was a signed version of GRUB - signed by MS, and distributed by RH ? Whether this is still a thing or not I don’t know. I recall I was slightly surprised when I read about it as it goes against the concept of secure boot having a boot loader that doesn’t enforce signing of whatever it loads !

** With EFI, the EFI system can enable/disable processor features. So, for example, a manufacturer can sell the same hardware in two versions - one that can do hardware virtualisation, and one that can’t. Absolutely no difference other than an EFI setting, but of course it allows them to charge a premium for the “server” version.


Simon