Windows 10 announcement: certified hardware can lock out competing OSes

You take for granted that the impact of alternative OSes is in proportion to their popularity. The most significant innovation begins at the margins. Remember when Apple was what, 6% of the market?

At one time Internet Explorer had about 95% browser share. Important sites increasingly required IE, which was free to ignore standards and stall innovation. Then Firefox came along. It was never the most popular browser, but by capturing a minority of the market it helped preserve the open Web and advance innovation for everyone - IE users included.

Uhm, no. I’m saying that they’re just about the only “big tech” company that makes their own hardware. Everyone else, generally, has someone else do it (see Microsoft and Google, for example).

True, and Apple has been using EFI and TPM modules ever since the switch to intel processors, and still not betrayed their users with these, at least.

Almost every product available protects its users to greater or lesser degrees. Failure to protect the user can lead to products liability lawsuits, such as that over the Ford Pinto. This kind of protection that Apple is engaging in by requiring you to open a new app for the first time through the context menu is little more than requiring the administrator to act like an administrator.

People don’t trust Sony or Lenovo. As someone who hasn’t bought a Windows machine in a decade, I probably wouldn’t trust anyone who sells a computer loaded with bloatware.

That’s the complete opposite of the case.
The current Windows Certification requires OEMs to ship desktop machines with UEFI activated.

Ergo, don’t buy “certified assware”

I know nothing about the origins of Corey’s report on UEFI in Win10, nor do I have any knowledge of source materials he may have used.

The WinHEC hardware conference in Shenzhen, China included many presentations to OEM’s. Following is a slide that, according to multiple reports, was viewed as a part of one such presentation. My 1st encounter with this graphic was through a post on Ars Technica & as is noted in text from that same article, Ars is asking that MS sources confirm the validity of the graphic & to clarify other points as well.

windows-10-secure-boot.png1920×1200 66 KB

Also from the article:

At its WinHEC hardware conference in Shenzhen, China, Microsoft talked about the hardware requirements for Windows 10. The precise final specs are not available yet, so all this is somewhat subject to change, but right now, Microsoft says that the switch to allow Secure Boot to be turned off is now optional. Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot lock down.

The presentation is silent on whether OEMS can or should provide support for adding custom certificates.

We’ve asked Microsoft if the slides are accurate and OEMs will indeed be able to build machines that essentially lock out other operating systems, especially in light of the visceral reaction to the original Secure Boot requirement. We’re still awaiting a reply.

As is clear from the source material shown above, I was indeed mistaken about the Activation State at time of shipping. The source also supports the balance of my assertion that MS is not dictating that Secure Boot be permanently locked down & that OEMs have the latitude to permit its easy disabling.

I can’t quote statistics on the volume of dual-boot systems out in the wild. While it’s certainly not a majority, I doubt that demand is completely insignificant. And while I know not everyone is interested in rolling their own, nothing communicated so far addresses the home builder market segment.

That said, this discussion is still essentially just conjecture over policy yet to finalized & formally made public.

I wouldn’t personally bother changing up the OS from Windows because I’m rather used to it but being told that I can’t, that the hardware I may have bought has been disabled to prevent me from changing it compels me to defy what is undeniably a total dick move.

Ummm… doesn’t Apple subcontract the making to e.g. Foxconn?

I guess I’ll move “Install Windows 10 on my Raspberry Pi 2” down my priority list for now. Hmm, oops, can’t move it any lower.

My wife wanted to put Linux mint on her new laptop because of how much she despised the windows 8 interface. She is not techie, she just hates the windows ui. The laptop only wanted to take signed operating systems and neither of us could figure out how to get Mint on it. I had to enlist professional help, who warned us that sometimes computers get bricked by trying to install the OS that the user actually wants. I don’t think my wife considers herself to be nerdy. She just wanted a computer that she liked to use. If she’s paying for the machine, she should be able to do that.

Well that’s messed up. And I quite agree with you, I was just pointing out people with the desire and ability are pretty uncommon.

Shouldn’t that deserve some sort of legal protection, for a minority group?

…I wouldn’t ask for more than a little jumper, or even a cut-this-trace-here-warranty-be-damned way, to disable this crap…

You’re missing the point again.

Apple designs and has made, to sell as “Apple,” their own hardware. As a general rule, other big tech companies don’t do that. Microsoft doesn’t do it and, nor does Google except for a few reference devices. We were discussing the fact that Microsoft doesn’t make its hardware, OEMs do it and Microsoft just makes the software and the rules around that software.

This wasn’t a discussion of which plant puts together the parts that Apple requests or do you think Foxconn designs the hardware and sells it for Apple, like Dell does for Windows computers? What do you think the “Designed in California” that has been embossed on Apple devices is there for?

Do you think Dell runs a chip fabbing plant here in the US? Everyone subcontracts the making of things, largely to Taiwan and China.

So what exactly do you do if you want to buy a computer that someone can’t just walk up to with a bootable USB drive and do whatever they want?

I suppose you could password-protect the BIOS, but that won’t stop someone from discretely opening the case and clearing the CMOS. Or you could deactivate all the ports and make external access possible only through some sort of secure dongle. (Do people do that?)

There is no reason why the user can’t lock out other OSs, instead of the OEM. It’s the user’s box so they should decide, not some company who gets OS sales kickback.

The password could be kept in non-volatile memory.

It can be done. I don’t know of any individuals who do it, but some sensitive facilities fill in extra ports with epoxy to prevent USB exploits.

[quote=“popobawa4u, post:79, topic:54106”]There is no reason why the user can’t lock out other OSs, instead of the OEM. It’s the user’s box so they should decide, not some company who gets OS sales kickback.[/quote]Sure, but anything one user can lock out, another user can unlock, in theory.

Of course, but I’d say that this is oversimplifying things a bit. A reasonable goal is to not try making your security impenetrable, but too impractical to bother with. Popping out a CMOS battery takes all but a few seconds - compared to setting up another computer and attaching probes to your board to try to read the data out and analyze it.

A problem with the approach outlined here is that if somebody tries to break into your box, they are the ones committing a violation. If the OEM locks down your box and you need to circumvent this, then you are the one committing a violation, as DMCA law currently is.

It is a piece of physical hardware, made from atoms. If someone has unfettered access to your machine, they will always be able to subvert it, given time and resources (or someone having put in the time and resources and made a method which others then get/buy).

Where?

They design the stuff. But they generally don’t make it. If they ran their own facilities, populating the boards and putting them into boxes, they would be making the devices. It’s their designs, but they aren’t making them.

“To design” and “to make” are two highly different verbs. At least they were, the last time I checked my admittedly imperfect english-as-second-language.

Conflating these related but different concepts does us no good.

That’s true. So why shouldn’t we call it that way?

A way is to solder a thin wire to the SDA wire to the EEPROM chip. Then when the password is prompted for, ground the wire and press enter. The password is read from the memory as a zero-length string, and you are in.