Szerző: Ian Smith Dátum: Címzett: dng Tárgy: Re: [DNG] Laptops I haven't bought yet.
On Tue, 16 Jul 2024 20:14:23 +0100
Simon <linux@???> wrote:
> Ian Smith <ian@???> wrote:
>
> > I had no idea some PCs/laptops could be locked into using Microsoft
> > only, to the exclusion of all other OSes.
>
> Yes, this was something raised as soon as the secure boot facility
> came along and MS mandated it for Win 10.
>
> For a laptop/desktop it’s up to the manufacturer, but for a tablet MS
> mandates secure boot be on and uneditable. I.e. if you buy a Win 10
> tablet then AIUI it’s locked down to only boot something signed with
> MS’s certificate.
>
> But back to laptops/desktops. To run Win 10 they must support secure
> boot, and it must default to on. With it on, you can’t boot Linux* as
> it’s not signed with an MS certificate. Manufacturers are supposed to
> allow adding additional certificates (keys) to allow you to boot
> software signed with a different certificate. In principle that
> allows you to create your own signing certificate, sign your boot
> loader, and boot it by adding the appropriate part of your own
> certificate. Not sure whether this is part of the rules, just not
> specified, or what. Also, the manufacturer can choose to allow you to
> turn off secure boot. If they do, then you can boot unsigned
> software, but you can’t boot Windows as it will refuse to load.
>
> I vaguely recall that when secure boot came along, this “flexibility”
> was how MS managed to get it past the authorities who would otherwise
> probably have opened up an anti-trust or market power abuse case
> against them. Otherwise, it would fit their past behaviour patterns
> to have mandated PC suppliers lock everything down if they wanted to
> be able to sell PCs with Windows.
>
> Like other features** that EFI allows manufacturers to lock down,
> this is something that you may have to a) try out, or b) study
> manuals/tech data in depth to figure out.
>
> And it’s something to maintain eternal vigilance over. Given past
> performance, it’s not hard to imagine MS (and these days, Redhat)
> quietly shifting the goalposts and “encouraging” manufacturers to
> further lock down the systems once people have got used to it’s
> ubiquity.
>
>
> * I recall that at one time, there was a signed version of GRUB -
> signed by MS, and distributed by RH ? Whether this is still a thing
> or not I don’t know. I recall I was slightly surprised when I read
> about it as it goes against the concept of secure boot having a boot
> loader that doesn’t enforce signing of whatever it loads !
>
> ** With EFI, the EFI system can enable/disable processor features.
> So, for example, a manufacturer can sell the same hardware in two
> versions - one that can do hardware virtualisation, and one that
> can’t. Absolutely no difference other than an EFI setting, but of
> course it allows them to charge a premium for the “server” version.
Thank you for that comprehensive summary, much appreciated.
I've wondered if somehow Microsoft managed to get a majority of new
PCs/laptops locked permanently to Windows, that would attract
some antitrust/monopoly lawsuits, akin to the browser scenario some
years ago.