On Tue, Aug 6, 2024 at 5:47 PM Wm. Moss via Dng <dng@???> wrote:

> On 8/6/24 16:21, Ian Smith wrote:
> > On Tue, 16 Jul 2024 20:14:23 +0100
> > Simon <linux@???> wrote:
> >
> >> Ian Smith <ian@???> wrote:
> >>
> >>> I had no idea some PCs/laptops could be locked into using Microsoft
> >>> only, to the exclusion of all other OSes.
> >> Yes, this was something raised as soon as the secure boot facility
> >> came along and MS mandated it for Win 10.
> >>
> >> For a laptop/desktop it’s up to the manufacturer, but for a tablet MS
> >> mandates secure boot be on and uneditable. I.e. if you buy a Win 10
> >> tablet then AIUI it’s locked down to only boot something signed with
> >> MS’s certificate.
> >>
> >> But back to laptops/desktops. To run Win 10 they must support secure
> >> boot, and it must default to on. With it on, you can’t boot Linux* as
> >> it’s not signed with an MS certificate. Manufacturers are supposed to
> >> allow adding additional certificates (keys) to allow you to boot
> >> software signed with a different certificate. In principle that
> >> allows you to create your own signing certificate, sign your boot
> >> loader, and boot it by adding the appropriate part of your own
> >> certificate. Not sure whether this is part of the rules, just not
> >> specified, or what. Also, the manufacturer can choose to allow you to
> >> turn off secure boot. If they do, then you can boot unsigned
> >> software, but you can’t boot Windows as it will refuse to load.
> >>
> >> I vaguely recall that when secure boot came along, this “flexibility”
> >> was how MS managed to get it past the authorities who would otherwise
> >> probably have opened up an anti-trust or market power abuse case
> >> against them. Otherwise, it would fit their past behaviour patterns
> >> to have mandated PC suppliers lock everything down if they wanted to
> >> be able to sell PCs with Windows.
> >>
> >> Like other features** that EFI allows manufacturers to lock down,
> >> this is something that you may have to a) try out, or b) study
> >> manuals/tech data in depth to figure out.
> >>
> >> And it’s something to maintain eternal vigilance over. Given past
> >> performance, it’s not hard to imagine MS (and these days, Redhat)
> >> quietly shifting the goalposts and “encouraging” manufacturers to
> >> further lock down the systems once people have got used to it’s
> >> ubiquity.
> >>
> >>
> >> * I recall that at one time, there was a signed version of GRUB -
> >> signed by MS, and distributed by RH ? Whether this is still a thing
> >> or not I don’t know. I recall I was slightly surprised when I read
> >> about it as it goes against the concept of secure boot having a boot
> >> loader that doesn’t enforce signing of whatever it loads !
> >>
> >> ** With EFI, the EFI system can enable/disable processor features.
> >> So, for example, a manufacturer can sell the same hardware in two
> >> versions - one that can do hardware virtualisation, and one that
> >> can’t. Absolutely no difference other than an EFI setting, but of
> >> course it allows them to charge a premium for the “server” version.
> > Thank you for that comprehensive summary, much appreciated.
> >
> > I've wondered if somehow Microsoft managed to get a majority of new
> > PCs/laptops locked permanently to Windows, that would attract
> > some antitrust/monopoly lawsuits, akin to the browser scenario some
> > years ago.
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
> Win10 does not require secure boot, Win11 supposedly does. However,
> there are ways of working around this. For example, I run Win11 on
> VirtualBox using a Win10 license. The methods can be found on the Internet.
>
> The last desktop boxen I bought (refurbished) i just yanked the HDD and
installed another one. Dunno if that's so easy in a laptop but I'm no fan
of those
hampered beasts. (You know small screens (my screen is some 8k x 3k),
terrible battery life, non-ergo keyboard, running more than rather warm
- - dunno if I need more negatives.)

Regards