B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
It makes sense to run windows on a linux host, never the opposite. You don't want an insecure platform to run the OS you want to run for security reasons lol.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Windows 10 to Lock Out Linux with Secure Boot That Cant Be Disabled
- Thread starter CommanderFrank
- Start date
It makes sense to run windows on a linux host, never the opposite. You don't want an insecure platform to run the OS you want to run for security reasons lol.
westrock2000
[H]F Junkie
- Joined
- Jun 3, 2005
- Messages
- 9,433
I would think this is more important for laptops. I had to return a (Dell?) laptop because it did not have the option to turn off Secure Boot in the BIOS, back when this whole thing started about 2 years ago.
But whats the point of restricting how a computer can be used if we already have "hacks" to get Linux, OSX, Solaris, and others to run on hardware? What is a "unauthorized" OS at this point. And who the hell makes that decision?
TechLarry
RIP [H] Brother - June 1, 2022
- Joined
- Aug 9, 2005
- Messages
- 30,481
Lawsuit in 3...2....1....
ManofGod
[H]F Junkie
- Joined
- Oct 4, 2007
- Messages
- 12,864
People whining that the computer is insecure in 3...2....1....
dandragonrage
[H]F Junkie
- Joined
- Jun 5, 2004
- Messages
- 8,298
If there is one group of people (relating to PCs) that is more niche and insignificant than Linux users (which includes myself), it would be people that would complain about the lack of secure boot....
dandragonrage
[H]F Junkie
- Joined
- Jun 5, 2004
- Messages
- 8,298
I run Gentoo as my desktop OS and can still game because WINE and PlayOnLinux are great.
Got tired of Windows updates nuking my whole system. Not sure WTF Microsoft is up to with so many bad updates lately but I for one got tired of it.
Got tired of Windows updates nuking my whole system. Not sure WTF Microsoft is up to with so many bad updates lately but I for one got tired of it.
drescherjm
[H]F Junkie
- Joined
- Nov 19, 2008
- Messages
- 14,941
At home I have done this for over a decade. The original motivation was so that I could not bring my work home although eventually this plan failed and I had to bring some of my work home so I built a windows workstation.
CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
I do.
I don't really have anything personal against Windows and I still use it pretty often for MS Word mostly because there's still some formatting things with LibreOffice that make it a tiny bit imperfect when someone with MS Office opens a LibreOffice-made file and since that's important for icky college professors who nitpick as a reason to reduce grades from my otherwise perfectly amazing research papers, I have to keep at least one Windows PC around. I'm also looking into doing the inexpensive Windows tablet thing for reading e-books on something less creepy and expensive than an Android tab. Still, Linux Mint is on my netbook and I use far it more than my Windows laptop.chinesepiratefood
2[H]4U
- Joined
- Oct 8, 2005
- Messages
- 2,629
Do you even read before posting that? Whether or not the OEM let's you disable secure boot has nothing to do with Microsoft.
lol the failure of Windows 8 and likely business resistance to Windows 8 2.0 will ensure that major desktop and laptop manufacturers will continue allowing SB to be switched off.
Also, some devices will still allow signatures to be stored even if SB can't be disabled.
I would say tablets are most likely to be affected by this change, but most smaller ones already disallow turning SB off.
Also, some devices will still allow signatures to be stored even if SB can't be disabled.
I would say tablets are most likely to be affected by this change, but most smaller ones already disallow turning SB off.
* wink wink
Sometimes I hate being right.
I said back when Windows 8 came out that Microsoft's ultimate goal was to prevent alternative operating systems from being installed and that they would eventually mandate restricted boot. So many idiots and shills here said I was paranoid and that they would never do such a thing (I'm looking at you Heatless).
In essence, Microsoft wants PCs to be like phones or tablets where the user has no control over what they install on their own device. In essence, you don't truly own your computing device since the corporation has the keys to it. Some Linuxen "might" work with secure boot, but only by paying a Microsoft tax so they can get a key.
I said back when Windows 8 came out that Microsoft's ultimate goal was to prevent alternative operating systems from being installed and that they would eventually mandate restricted boot. So many idiots and shills here said I was paranoid and that they would never do such a thing (I'm looking at you Heatless).
In essence, Microsoft wants PCs to be like phones or tablets where the user has no control over what they install on their own device. In essence, you don't truly own your computing device since the corporation has the keys to it. Some Linuxen "might" work with secure boot, but only by paying a Microsoft tax so they can get a key.
rudy
[H]F Junkie
- Joined
- Apr 4, 2004
- Messages
- 8,704
One guy comes here and posts a reasonable explanation, 95% of all the posts completely ignore his post.
It is also funny how no one is talking about the realities of the computing market. Hey how easy is it for anyone to install a new OS on their phone? Any phone? Its not and on many it is not even known to be possible, yet every single time a phone releases do we hear a giant uproar about how the new iphone wont let you install android or windows mobile on it? Nope we don't. MS has every right to lock the living shit out of OEM computers if mobile phone makers are doing the same to them. And yet MS doesn't really do it and leaves plenty of options for getting around this including simply supporting secure boot yourself.
It is also funny how no one is talking about the realities of the computing market. Hey how easy is it for anyone to install a new OS on their phone? Any phone? Its not and on many it is not even known to be possible, yet every single time a phone releases do we hear a giant uproar about how the new iphone wont let you install android or windows mobile on it? Nope we don't. MS has every right to lock the living shit out of OEM computers if mobile phone makers are doing the same to them. And yet MS doesn't really do it and leaves plenty of options for getting around this including simply supporting secure boot yourself.
That only works if you have sufficient access to install new restricted boot keys. And it is still an unnecessary hassle for a "feature" of dubious security benefit (really, when was the last time we had to worry about bootsector viruses? This isn't the 80s and we aren't using MS-DOS). The only people who would spend large amounts of resources writing such a sophisticated piece of malware (when simple trojans still work an alarmingly large percentage of the time) would be governments and they'd just have their own key to sign things anyways.
rudy
[H]F Junkie
- Joined
- Apr 4, 2004
- Messages
- 8,704
Basically what I am saying is simple if you hate this then you have to blame not MS the company you hate so much but Google and Apple the companies who made these practices main stream acceptable. And the same thing is true of the windows store, and online connected logins. All of these things people hate on here and harp on and claim MS is so bad but it wasn't MS who made them main stream and acceptable even if MS tried them first. It was the mobile phone makers who did it. So before you can even open your mouth and complain about this stuff you need to get over to the mobile forums and start a rant about google an apple and every time a new phone releases keep harping on it.
Google's flagship phones (The Nexūs) all have unlocked bootloaders.
As far as crApple, my position on them is well known.
I promise this isn't meant to be sarcastic or douchie, and Forgive my naivete, I'm honestly curious what's "creepy" about an android tablet specifically?
griffinhart
[H]ard|Gawd
- Joined
- Aug 3, 2005
- Messages
- 1,294
Well good news! You aren't right!
Secure boot STILL isn't mandatory. It is entirely up to the OEM.
Root kits are still a major threat and the primary reason for secure boot. There are plenty of good reasons to want to use secure boot and have it on by default.
crusty_juggler
[H]ard|Gawd
- Joined
- Feb 11, 2014
- Messages
- 1,241
You're not right.
Secure boot does not prevent alternative OSes from being installed. The major Linux distros all support secure boot. Nothing is preventing you from integrating secure boot compatibility into your favorite Linux distro if it does not support it OOB. Even roll your own kernels can be easily made compatible with secure boot and have had this capability since 2012.
For fucks sake, read the thread, read the documentation that was linked to and stop calling people idiots.
Unknown-One
[H]F Junkie
- Joined
- Mar 5, 2005
- Messages
- 8,909
Depends on where you need the performance..
Even if you manage to give full control of a PCIe graphics adapter to a virtual machine through VT-D (your virtualization software AND the host hardware both need to support this feature), gaming will still under-perform when compared against the same system with Windows running directly on the hardware.
Unknown-One
[H]F Junkie
- Joined
- Mar 5, 2005
- Messages
- 8,909
Why did you return it when you could have used a signed bootloader and imported the key into your UEFI?
Because NOTHING will boot without prior authorization. It just so happens that Windows is per-authorised at the factory.
Running an alternative OS requires the same setup.
Anything not signed, and explicitly trusted by your UEFI, is an unauthorized OS.
You make the decision what signatures your UEFI trusts. Control is totally in the users hands on this... you can even remove the pre-installed Microsoft authorization and prevent Windows from ever being re-installed on the box.
Even when you're not!
MS is mandating that SB is turned on in order to get to use Windows 10 certification, which probably also makes manufacturers eligible for co-marketing dollars. So they will likely follow it. The option to disallow secure boot is left to the OEMs, but phones and small tablets will likely continue to lack that ability, especially tablets which get free or close to free copies of Windows 10.
Even if a hardware OEM ships desktops and laptops without the ability to disable secure boot, which is a pretty iffy proposition due to the large base of legacy OSs most of their customers run (major PC makers mostly sell to businesses by a wide margin vs retail), there is still the ability to add signatures for other OSs.
It's an extra step to disable SB and/or install a certificate, but only a drama queen would be saying the sky is falling or claiming to be correct when most new PCs shipped with or without Windows will still have the ability to install Linux after Windows 10 ships. This is almost a complete non-issue for people who build their own systems. The funny thing is very, very few people will even want to install Linux, regardless of how crappy Windows has become. That's gotta hurt.
ManofGod
[H]F Junkie
- Joined
- Oct 4, 2007
- Messages
- 12,864
Such as? Essentially, this is a click bait thread and people here get their jolly's off being a Anti-Microsoft want a be.
Tin foil hats at the ready.
ManofGod
[H]F Junkie
- Joined
- Oct 4, 2007
- Messages
- 12,864
Says the person who clearly has no idea how to remove infections or what is out there in the wild.
ManofGod
[H]F Junkie
- Joined
- Oct 4, 2007
- Messages
- 12,864
Now this person knows what he is talking about.
Bootsector and rootkit infections are still quite common. However, they do seem to come in surges and then go away for a little while.CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
The tablet itself isn't creepy alone, but if you start putting the pieces together by having an Android phone an Gmail account (which you have to create to use the Play Store) and use Google for web searching, it's really easy to build a very complete dataset about someone that includes location data (GPS & coarse tower triangulation), web surfing habits, the sorts of e-mails you send and receive, the photos you take, the people you text and call (how often, what duration, etc) and the YouTube vids you watch. Combine that with the unavoidable Google Ad Services that are used on quite a few sites and it's pretty much impossible not to be very closely monitored at all times by Google. The good news is that they do articulate that fact in their usage agreements and are very open, but lots of people have records stored in Google's data farms since 2006 or even earlier and its a bit scary that there's so much of a window into a person's thoughts that can be deduced when all that information is combined and analyzed. It just seems like a good idea to kinda spread around your computing and block whatever you can to at least make it a little more difficult to get heavily tracked.
Nenu
[H]ardened
- Joined
- Apr 28, 2007
- Messages
- 20,315
The option is present on most motherboards to select a boot drive after POST.
You need to press a key during POST for it to work, this varies depending on your motherboard.
I've dual booted between many OS's for years like this, by far the best way of dual booting.
Install each OS as a standalone drive, ie remove all other drives during install to be sure they are independent.
I hit F12 during POST (Gigabyte P67a mobo) and get a list of hard drives.
Whichever boots uses its own bootloader, there is no dependence on another drive.
So if one OS tanks or a hard drive has a problem, everything else still works without issue.
Nenu
[H]ardened
- Joined
- Apr 28, 2007
- Messages
- 20,315
A lot of the responses in this thread are because we should have nice things but are denied!
You don't need to modify the bootloader to install a rootkit. Restricted boot will do nothing in that regard. Anyone that cares about security wouldn't be using a flim-flam operation like PKI anyways since the weaknesses of such a system are well documented (mainly the fact that no CA can be trusted).
Restricted boot is designed solely to increase control and to limit a user's freedoms on the device that they paid for. Selling something as a PC and then restricted what it can boot via artificer means is fraud.
dgz
Supreme [H]ardness
- Joined
- Feb 15, 2010
- Messages
- 5,838
Stahp making sense. They demand it
Correct. Secure boot protects very little given the numerous ways a computer can be hacked. I also remember all of the people swearing up and down how easy it would be to turn off the feature. The moment we started receiving Dell computers I knew right away what Secure Boot was really for.... to limit alternative installation. Feel free to try and get to the BIOS on a OEM machine. I doubt it very seriously you will get in on the first try.
crusty_juggler
[H]ard|Gawd
- Joined
- Feb 11, 2014
- Messages
- 1,241
What part of "secure boot does not restrict the installation of Linux" are you guys having trouble understanding?
For the fourth time, the most popular Linux distros all work with secure boot. Secure boot compatibility can be easily integrated into any Linux distro, even for kernels you compile yourself. It has been this way since 2012.
The assertion that secure boot restricts the installation of Linux is completely baseless.
For the fourth time, the most popular Linux distros all work with secure boot. Secure boot compatibility can be easily integrated into any Linux distro, even for kernels you compile yourself. It has been this way since 2012.
The assertion that secure boot restricts the installation of Linux is completely baseless.
First off they don't ALL work with Secureboot. Fedora, OpenSuse, Redhat, and Ubuntu do, and even then that's only recently as in late 2014. Debian does not. Coreboot yes. Secureboot last time I checked wasn't working on it without workarounds. Second Secureboot on OEM (in particular Dell) machines prevent loading any different OS unless hybrid mode is selected, The last time I checked a Dell will NOT load anything off of a USB stick unless it's set to hybrid mode if it's running Windows 8. Booting from a USB stick is otherwise ignored.
Also this notion that it's easy to implement is also ... well crap.
crusty_juggler
[H]ard|Gawd
- Joined
- Feb 11, 2014
- Messages
- 1,241
No one's saying all Linux distros are compatible with secure boot out of the box. We're pointing out that the most popular ones are, and that a user can integrate compatibility into any distro they want to, even roll your own kernels.
Again, all Linux distros can be made to run on OEM secure boot machines. This ability has existed since 2012, and it's not complicated. The idea that this is somehow too technical for Linux users to do themselves is...well crap. If the developers of certain distros refuse to implement it due to their politics, then that's their problem.
Give it up guys. The assertion that secure boot is an anti-competitive conspiracy to prevent Linux from being installed on Windows OEM machines has been unarguably proven wrong. If the real purpose of secure boot is not security, but in fact a nefarious plot to restrict Linux, how does that theory pass logical muster when secure boot does not prevent Linux from being installed?
The complaint that a Dell laptop user needs to change an option in their UEFI in order to boot from a USB stick is irrelevant. That has nothing to do with the postilion that MS is somehow "locking" out Linux.
Again, all Linux distros can be made to run on OEM secure boot machines. This ability has existed since 2012, and it's not complicated. The idea that this is somehow too technical for Linux users to do themselves is...well crap. If the developers of certain distros refuse to implement it due to their politics, then that's their problem.
Give it up guys. The assertion that secure boot is an anti-competitive conspiracy to prevent Linux from being installed on Windows OEM machines has been unarguably proven wrong. If the real purpose of secure boot is not security, but in fact a nefarious plot to restrict Linux, how does that theory pass logical muster when secure boot does not prevent Linux from being installed?
The complaint that a Dell laptop user needs to change an option in their UEFI in order to boot from a USB stick is irrelevant. That has nothing to do with the postilion that MS is somehow "locking" out Linux.
And the only way they work with restricted boot is by forking over a $99 extortion fee to Microsoft's PKI racket.
Creating your own keys is prohibitively difficult and time consuming especially when you can't get the OEMs to include them in their systems and you are assuming that the OEMs even continue to allow people to install custom keys which I have every reason, given what I've seen on tablets and phones to believe they won't.
crusty_juggler
[H]ard|Gawd
- Joined
- Feb 11, 2014
- Messages
- 1,241
Could you explain this racket please? How does the fee that the Linux Foundation paid to Verisign equal extortion by MS? They paid Verisign for a key, which they then used on thousands if not millions of machines. Presumably, once Red Hat, Canonical and the Suse people developed their own secure boot implementation, they also paid the fee to Verisign.
Seems like a pretty ineffective method of extortion, no? MS spends millions on research and software development in order to collect $396 for...Verisign?
Are you saying that once Verisign collects it's fee, it then gives that money to MS? Please, describe in detail how a company that posted a $22 billion dollar net income last year colluded with Verisign to extort the Linux Foundation and the makers of Fedora, Ubuntu and Suse of a couple hundred bucks. And why the hell they would do that in the first place.
Um Debian serves as a basis for many distros. It's pretty damn popular. Rolling your own kernel?...LMAO. You act like there is some button people can click on and bingo bango a full certificate signed kernel appears out of no where along with a DE. You keep saying it's this easy process but I don't think you've ever actually tried it yourself. If you had you wouldn't say it was so easy.
There's nothing crap about that. Feed free to find someone here that's going to say rolling your own kernel is an easy process. It's not. I've done it and it took many tries to get it done correctly. Your assertion also doesn't address the fact that the difficulty may not be too great for linux diehards but it in no way is it doable by the average joe and considering the Linux community didn't come up with this stupid idea I find it bizarre that they are responsible for jumping through hoops to comply but Microsoft somehow isn't.
There's nothing here to give up. The people who use Linux and that have actually have tried to install it on a SecureBoot machine will testify that it isn't as easy as you are making it out to be. The Dell example is very relevent because it's SecureBoot and Windows 8 together that makes getting into the BIOS so bizarre and difficult.