Hacker News new | past | comments | ask | show | jobs | submit login
Windows 10 to make the Secure Boot alt-OS lock out a reality (arstechnica.com)
41 points by doublextremevil on March 20, 2015 | hide | past | favorite | 15 comments



This is very concerning. I can imagine a future where only the "premium" hardware has the option to disable secure boot, ensuring lower grade consumer machines are permanently locked in to the Windows ecosystem.


Not only that, but they may well be unable to upgrade to even new versions of windows...

You need Windows 2018? You'll have to buy a new computer...


What makes you think the 'premium' hardware will let you disable it either?


People will always want to use some other OS, and some manufacturer will inevitably provide them with the hardware they need: at premium price, of course.


The slide the have, also says that on mobile devices it must not be possible to turn off secure boot. Which on the one hand, can probably help make them less desirable to steal; but on the other hand, means no playing with non-MicroSoft OSes on those devices.


That was true under the Windows 8 logo requirements too, if by "mobile" they mean "ARM" / "Windows RT".

Honestly I'm only very slightly unhappy about that. Unlike with the IBM-compatible PC, a historically open platform, this isn't closing off a historically open platforms. The other entries in the space, like Apple's iPad, are historically very closed. And the Windows platform doesn't have anywhere near the dominance in ARM that it does on x86.


Secure Boot isn't lojack, it doesn't really protect against theft or discourage it. Nothing is stopping you stealing someone's computer with Secure Boot and installing a fresh Windows on it.

Secure Boot is about protecting the kernel from modification (e.g. root kits, activation cracks, and so on). It may help protect data also when combined with full disk encryption (it will make tricking you into entering your decryption key(s) into a fake/altered OS harder).

It is a classic defence in depth system. I actually have nothing against Secure Boot, I just think it is too Microsoft controlled and getting a signing key too difficult (and for Microsoft to block competition too easy).


Nothing is stopping you stealing someone's computer with Secure Boot and installing a fresh Windows on it.

Yeah, I'd been thinking that if you were stuck with what was already installed, a thief wouldn't be able to get rid of any lojak / phone-home-and-brick-yourself monitors. But you're right, secure boot by itself wouldn't provide quite that level of lockdown.

:(


Hm...

First, the slide shown in this article says "allow end user to turn off". It says nothing about "allow end user to add his own keys". If the end user can add his own keys, the end user can still bypass this mechanism; it's just a bit more complex and annoying.

Second, even if the firmware doesn't allow the user to add his own keys, there are bootloaders like SUSE's shim which are signed by Microsoft and allow the user to add his own keys for the next step (see https://www.suse.com/documentation/sles11/book_sle_admin/dat... for instance).

Of course, I wonder how long until shim doesn't work anymore (either by having its signature revoked or by Microsoft migrating to a new root key and not signing shim with it). Who knows, these Windows 10 requirements might already be using a new root key, instead of the one the shim bootloaders were signed with.

If end-users cannot disable secure boot (or add his own keys), they won't be affected at first, since the most popular Linux distributions have a signed bootloader. But when in secure mode, you can't boot your own self-compiled kernel, and often you can't even load unsigned drivers. This makes it harder to debug kernel issues (since you can't compile and install a modified kernel), and makes it hard to develop drivers for new hardware.


There's too much of a risk for MS in revoking the shim's signature.

Keeping everything the way it is is great for them. It's a PITA for non-tech users to install the certificate to try out linux/any other OS, which means less users leaving windows. No need to push it and rish monopoly-related issues, etc.


The WORST. Imagine if MS had had the foresight to do this back in 91. No Linux.


It is worth noting that Fedora, OpenSuse, and Ubuntu all support Secure Boot. However this would limit true "indie" distro's and OSs who likely couldn't get a signing key.

I will say the whole way Secure Boot was done (essentially only having a single signing authority: Microsoft) was highly flawed from the get go. There was some talk about allowing the free software foundation to sign keys, what happened to that?


I wonder whether bookies would accept a bet on Windows becoming open-source within 5 years?


As a Linux user sine 1992 (Slackware), I have a probably unpopular opinion on this. I feel that security problems are getting so severe that I can live with Ubuntu and other distributions having to jump through some hoops to support secure boot. We need a way to get small distros also compatible.


Very annoying. Someone should sue MS with an antitrust case.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: