On 8/6/24 16:21, Ian Smith wrote:
> On Tue, 16 Jul 2024 20:14:23 +0100
> Simon <linux@???> wrote:
>
>> Ian Smith <ian@???> wrote:
>>
>>> I had no idea some PCs/laptops could be locked into using Microsoft
>>> only, to the exclusion of all other OSes.
>> Yes, this was something raised as soon as the secure boot facility
>> came along and MS mandated it for Win 10.
>>
>> For a laptop/desktop it’s up to the manufacturer, but for a tablet MS
>> mandates secure boot be on and uneditable. I.e. if you buy a Win 10
>> tablet then AIUI it’s locked down to only boot something signed with
>> MS’s certificate.
>>
>> But back to laptops/desktops. To run Win 10 they must support secure
>> boot, and it must default to on. With it on, you can’t boot Linux* as
>> it’s not signed with an MS certificate. Manufacturers are supposed to
>> allow adding additional certificates (keys) to allow you to boot
>> software signed with a different certificate. In principle that
>> allows you to create your own signing certificate, sign your boot
>> loader, and boot it by adding the appropriate part of your own
>> certificate. Not sure whether this is part of the rules, just not
>> specified, or what. Also, the manufacturer can choose to allow you to
>> turn off secure boot. If they do, then you can boot unsigned
>> software, but you can’t boot Windows as it will refuse to load.
>>
>> I vaguely recall that when secure boot came along, this “flexibility”
>> was how MS managed to get it past the authorities who would otherwise
>> probably have opened up an anti-trust or market power abuse case
>> against them. Otherwise, it would fit their past behaviour patterns
>> to have mandated PC suppliers lock everything down if they wanted to
>> be able to sell PCs with Windows.
>>
>> Like other features** that EFI allows manufacturers to lock down,
>> this is something that you may have to a) try out, or b) study
>> manuals/tech data in depth to figure out.
>>
>> And it’s something to maintain eternal vigilance over. Given past
>> performance, it’s not hard to imagine MS (and these days, Redhat)
>> quietly shifting the goalposts and “encouraging” manufacturers to
>> further lock down the systems once people have got used to it’s
>> ubiquity.
>>
>>
>> * I recall that at one time, there was a signed version of GRUB -
>> signed by MS, and distributed by RH ? Whether this is still a thing
>> or not I don’t know. I recall I was slightly surprised when I read
>> about it as it goes against the concept of secure boot having a boot
>> loader that doesn’t enforce signing of whatever it loads !
>>
>> ** With EFI, the EFI system can enable/disable processor features.
>> So, for example, a manufacturer can sell the same hardware in two
>> versions - one that can do hardware virtualisation, and one that
>> can’t. Absolutely no difference other than an EFI setting, but of
>> course it allows them to charge a premium for the “server” version.
> Thank you for that comprehensive summary, much appreciated.
>
> I've wondered if somehow Microsoft managed to get a majority of new
> PCs/laptops locked permanently to Windows, that would attract
> some antitrust/monopoly lawsuits, akin to the browser scenario some
> years ago.
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Win10 does not require secure boot, Win11 supposedly does. However,
there are ways of working around this. For example, I run Win11 on
VirtualBox using a Win10 license. The methods can be found on the Internet.

--
William (Bill) Moss
bill.m.moss@???
NY (USA)