UEFI Secure Boot Pre-Bootloader Rewritten To Boot All Linux Versions 185
hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linux has been dealt with.
Microsoft controls compoter booting (Score:5, Insightful)
The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.
Why in hell did the world give Microsoft control over computer bootup hardware?
That's just insane.
Re:Microsoft controls compoter booting (Score:5, Insightful)
The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.
Re:Microsoft controls compoter booting (Score:5, Funny)
I love the idea of singing motherboards :-) it would be much better than this stupid idea that is being forced on us in order to make more money for M$...
Re:Microsoft controls compoter booting (Score:5, Funny)
It'd be loads more fun to troubleshoot as well.
fur elise - bad ram check
oh fortuna - check video card
etc etc.
Much easier than beep codes and instills a bit of culture too.
Re:Microsoft controls compoter booting (Score:5, Funny)
Reminds of the old days when a linux kernel compile would take 6 hours and we were trying some modifications for VIA hardware which required hundreds of tries with minor changes in the driver codes - so we would start the compile with a script to play two different types of music on Error or Success, and then go to sleep.
If in the middle of the night it was dire straits then we would get up and debug/fix the errors and start a compile again; if it was some soothing instrumental we would continue sleeping knowing that its compiled.
Re:Microsoft controls compoter booting (Score:4, Interesting)
Re:Microsoft controls compoter booting (Score:5, Funny)
Standard boot message:
"Is this the real life?
Is this just fantasy?
Caught in a landslide
No escape from reality..."
Oh so many lines from that song would make great kernel error messages.
Re:Microsoft controls compoter booting (Score:4, Funny)
spill some coffee on the motherboard and its:
thunderbolts and lightening,
very very frightening...
Re: (Score:2)
Galileo,Galileo,
Galileo Galileo
Galileo figaro-Magnifico!
Sorry to post that, but you put it in my head. Now it's stuck there
Thunderbolt? Lightning? (Score:2)
So Apple does UEFI, too?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
these days, its usually the dc/dc converters that cause motherboards to sing. coils, specifically.
(I'm serious, actually).
a mini-itx intel mobo that I use for music playback (fanless) sings pretty loudly. a real sick joke, that is.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I prefer talking motherbords. I remember I had my DFI P2XBL motherboard (Revision A; 440BX) with my Pentium 2 CPU. I remember my mobo. didn't boot up and told me "CPU error". :O
Re: (Score:3)
the classic was always "keyboard not found: hit any key to continue."
Re: (Score:2)
I have never heard that one before from the talking mobos.
Re: (Score:2)
Re: (Score:2)
You wouldn't love the idea of singing motherboards if you had the night to learn the BIOS beep codes for the 10 year old mail server (without backup). It would make a great alarm clock!
Alternatives (Score:5, Insightful)
Well, actually, another alternative is for motherboard manufacturers to continue to make motherboards that boot the same way as they have for some time. So older, fully functional operating systems can continue to boot.
Of course, this would allow us to continue to use those fully functional OSs, and remove a goodly portion of the incentive to upgrade... so one might, if one were cynical, imagine that there is a corporate motive at work here.
Re:Alternatives (Score:4, Informative)
Re: (Score:2)
What the hell difference does it make, then, if the user can disable it? So somebody could e.g. modify GRUB to default to when booting Windows pass some sort of --secure-boot-on flag, and --secure-boot-off for everything else, right? In which case the only thing we gain from it is Windows patting itself on the back that it's "secure"...until somebody figures out how to hack it in about 6 months...
Re:Alternatives (Score:4, Informative)
Not implementing UEFI means the mobos can't be used in a production environment where they can receive the coveted "Windows 8 Ready" approval for millions of customers in the coming years. Continuing with the older BIOS system means they can easily boot alternative OSes for a few thousand enthusiast customers (who can in fact use UEFI anyway) but they lose the much bigger market. Decisions decisions...
Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"
Re:Alternatives (Score:5, Interesting)
Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"
While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.
Re: (Score:2)
While in practice the pragmatics of the situation are that you are right, in principal I believe that we should be talking to the anti-trust authorities - both sides of the Atlantic - because this is very clear abuse of monopoly. Unless, of course, Microsoft irrevocably commits to authorise any version of any competing operating system for free, in which case the whole point of secure boot has just vanished.
UEFI and Secure Boot are not backed by Microsoft alone.
The Unified EFI Forum or UEFI Forum (where UEFI stands for Unified Extensible Firmware Interface) is an alliance between several leading technology companies to modernize the booting process. The board of directors includes representatives from eleven "Promoter" companies: AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies.
Unified EFI Forum [wikipedia.org]
Secure Boot was introduced in v. 2.2 of the UEFI spec,. ca. 2008-2009.
The geek feels ambushed and pole-axed by a technology that has been in development for over five years. But if he had been paying attention he would known this was coming. Unified Extensible Firmware Interface [wikipedia.org]
''Secure boot'' is a technology described by recent revisions of the UEFI specification; it offers the prospect of a hardware-verified, malware-free operating system bootstrap process that can improve the security of many system deployments. Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in the hardware.
Making UEFI Secure Boot Work With Open Platforms [linuxfoundation.org]
Re:Microsoft controls compoter booting (Score:4, Insightful)
The alternative is to try and get every motherboard manufacturer to accept a singing key from them. Having Microsoft sign it means they don't have to deal with that headache.
Or to not use secureboot motherboards or just turn secureboot off and continue on as we do now, hell if you really wanted to use windows 8 you still could, it doesn't need secureboot either, it doesn't even need UEFI.
Re: (Score:3)
We're at step 2 already and step 3 is inevitable. That means we've already lost.
Re: (Score:3)
if ARM an x86 becomes a no-go, I suppose there's always a cluster of arduinos and the eventual port of linux to them.
(yes, I'm kidding. I'm pretty sure I'm kidding..)
Re: (Score:2)
We're at step 2 already and step 3 is inevitable. That means we've already lost.
Your conspiracy theory ignores the fact that the ARM market is completely dominated by iOS and Android, I guess I missed the memo that WindowsRT is just flying off the shelves? Also that Intel and AMD would just let x86 fold into obsolescence is another ridiculous assertion. Surely you don't actually believe that companies like Samsung would abandon all the products that have made them the most prominent mobile device maker to appease Microsoft.
Re: Microsoft controls compoter booting (Score:2)
Uh, no... Merely getting the top 20 motherboard manufacturers to do thiat would do just fine...
In fact after 4 or 5 include the keys, the rest will be scrambling over each other to "let their computers run Linux"
Signatures can be revoked. Is it more difficult (or attractive) for 20 manufacturers to revoke keys, or for Microsoft to?
Re: (Score:3)
Good luck with that. Asus (largest motherboard maker) isn't very Linux friendly. They sometimes use semi-custom chips for peripheral functions (USB 3.0, temperature monitoring, etc.) and won't release specs to the FOSS community. The FOSS drivers do catch up eventually, but it means using a recent Asus motherboard is often a crapshoot with regards to Linux driver support. If this is how they deal with device drivers, I can't imagine them being particularly receptive to any requests to include Linux boot key
Re:Microsoft controls compoter booting (Score:5, Interesting)
Why not allow the owner of the motherboard to sign their own code? This could be done at OS install, then if any malware modifies the code, it won't boot.
Giving control to the manufacturer just sounds wrong.
Re: (Score:2)
Re:Microsoft controls compoter booting (Score:5, Insightful)
I am curious - with a huge SSL signing and authorities infrastructure in place, why did no one ever think to use it? That's probably horribly broken in many other ways, but at least it will only take one solution to solve both problems, when someone manages to fix SSL.
Re:Microsoft controls compoter booting (Score:4, Interesting)
I think you mean if someone manages to fix SSL. The huge number of SSL signing authorities is its biggest weakness IMHO.
Re: (Score:2)
Re:Microsoft controls compoter booting (Score:5, Insightful)
Because Microsoft demanded OEMs give it that control, or else lose their access to dirt-cheap OEM windows licenses. As it is impossible to sell a computer without Windows outside of a very small niche - most users don't even know what an OS is - that gives Microsoft such bargaining power that when they demand, OEMs have no choice but to comply.
Re: (Score:2)
Re: (Score:2)
But it also cuts down on phone support for boot sector viruses,
Such as?
It's not a common vector any more.
dirt-cheap OEM windows licenses (Score:2)
Re:Microsoft controls compoter booting (Score:5, Insightful)
Why in hell did the world give Microsoft control over computer bootup hardware?
Because our government leaders voted that the risk of allowing corporations to inhibit competition was less threatening than the risk of allowing the government to regulate such behavior. It reflects the laissez-faire notion that corrupt elected officials are more dangerous than corrupt corporate executives. Though, in practice, our lax policy regarding such anti-free-market behavior is the result of corrupt corporate executives financing corrupt elected officials.
Re:Microsoft controls compoter booting (Score:4, Informative)
Re: (Score:2)
But you don't have to do business with non-government corporations. (It's not like you are forced to buy health care.)
You have left me puzzled. You mention health care - are you saying that you can choose to die untreated? Or are you saying that doing business with non-gov organisations is dissimilar to being obliged to doing [forced by bad health] business with a health company? Further confusing is the difference between health care in USA and elsewhere in the world, where it is often free.
Actual
Re: (Score:2, Informative)
Because the alternative is to sign with your own key and enter that into the UEFI firmware. Which you can do. The complaint from some parties is that users are too stupid to do so, so bootloaders 'must' be signed with an existing key.
Re: (Score:2)
How would entering a bootloader key into an UEFI input box be more complicated than typing a product key into an installer input box, which apparently users managed to do for quite some time?
Re: (Score:2)
How would entering a bootloader key into an UEFI input box be more complicated than typing a product key into an installer input box, which apparently users managed to do for quite some time?
Not neccessarily more complicated, but a serious psychological barrier. Because when installing an app with a product key the user is not overriding, or conscious of overriding, a "safety feature". But entering a bootloader key will have the nature of overriding a safety feature, which will deter casual users from trying out Linux and possibly liking it. Microsoft hate it when that happens.
Of course, most Windows users never install an OS, Windows being pre-installed. To do things at UEFI level will
Re: (Score:2)
Users who don't install an operating system also won't need to add a key to the firmware.
Re:Microsoft controls compoter booting (Score:5, Interesting)
I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.
With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.
Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.
Re:Microsoft controls compoter booting (Score:5, Interesting)
That could potentially be an article of its own. Hope you post it everywhere :)
Seconded. Drop it on Reddit (Score:2)
Ok, I can type more than that for my comment.
Re: (Score:2)
My guess would be that the DOJ has already thoroughly investigated secure boot, and hence they didn't really need to read your arguments in detail in order to determine where you are wrong. It wouldn't take more than a few seconds to scan your email and see that you were complaining about Microsoft and secure boot and throw it away.
Re:Microsoft controls compoter booting (Score:4, Insightful)
If he was wrong, it would be nice if they could respond to each point he raised and tell him why he was wrong. Getting a reply which says "trust us, don't worry about it" is always going to be unsatisfying.
Re: (Score:2, Insightful)
If he wants to find out why he is wrong, perhaps he should be consulting with a lawyer. No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.
They are doing exactly what they should be doing. They group up emails that pertains to specific subjects then determine which ones they need to look into based on the number of people affected, the serious
Re: (Score:3)
No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.
If they've already done the investigation, they should include the findings in the automated boilerplate response to any question about secure boot. No additional staff needed.
Re: (Score:2)
If they've already done the investigation, they should include the findings
That is what they did.
I received a generic reply about how Microsoft was not in violation of anything.
They didn't say they weren't interested in reviewing the situation. They said they did review it and found they were not in violation of any current laws. Other than going into each law (or supposed law) the writer mentioned and demonstrating why it wasn't an actual breach, I don't see how this could get any clearer. If writer really wanted to know the ins and outs and have a discussion about it point for point, he should seek legal council. He doesn't seem to be interested in that,
Re:Microsoft controls compoter booting (Score:5, Insightful)
I'd prefer they waste their money on that, than use it to prosecute hackers who copy science papers. The money, once in the budget, will be spent regardless. If it _won't_ be spent on serving the public, it _will_ get spent on selfish career making schemes.
Re: (Score:2)
If he wants to find out why he is wrong, perhaps he should be consulting with a lawyer. No offense, but I don't want to pay for a DOJ that staffs an extra 2,000 people just so that they can read every piece of email that comes in, and respond back with a detailed analysis of all the legal mistakes made.
Presumably, it is the DoJ's job to look into this sort of matter. If they have done so (i.e., tasked some of their staff or a lawyer to exam the case), presumably a report contains the findings. If I were to write to them with a serious query, I'd expect at least to be pointed in the direction of their findings.
They are a government organisation and a public service, so their findings should reasonably be considered public (redacted if necessary, although I can't see why that would be in this case).
I am in
Re: (Score:2)
We (citizens of the US) don't vote for those in the department of justice (DoJ), and they don't have a customer support office, nor should they. He might have a better chance writing his state representative. They typically have a larger staff, they are supposed to be a representative of their citizens, are voted into office, and as they are technically part of the legislative branch of government, are supposed to oversee the judicial branch that the DoJ is in. Which coincidentally is in the US is about
Re: (Score:2)
Totally in agreement with your premise... until "the govt would seize to a halt" ... at which point I realized *that's* what I really want.
Now, before you go and start talking about all the things that I need government for, lets narrow it down to the United States federal government. Please list for me anything that I need the federal government for that the state governments could not provide in its absence.
Re: (Score:2)
Defense, FDA, FCC, NIH, FBI, CIA, Social Security, NSTA, OSHA, FAA, etc. Care to duplicate that in the 50 states?
Re: (Score:2)
Yes. Very much yes. Crashes are bad, and chaos is bad, but careful and slow planned transitions of each of these sounds appealing to me.
Defense: Yes. Obviously not instantly and not without a good bit of state cooperation, but yeah, in my utopia the US military would be comprised of 51 cooperating militias. I can see the point of a single federal military, but the UN and Europe have examples of how cooperating militarys can be both effective and have a limiting factor on overreaching military engagements. G
Re: (Score:2)
My guess would be that the DOJ has already thoroughly investigated secure boot
ROTFL.
Re: (Score:2)
I actually sent a very long and detailed letter the DOJ about this and how it constitutes a violation of the Sherman Act. Not Five (5) minutes after sending I received a generic reply about how Microsoft was not in violation of anything.
With all the E-Mail these people receive and the sheer size of my Letter, there is no way in hell the DOJ read my Letter that fast. What they did was see the word 'Microsoft' and instantly reject it.
Next week my lawyer is cutting me a deal to rewrite my letter and send it by other means to the right people, we'll see what happens then. Of course I have no money to fight anybody in court, but at least I am trying to get a response that isn't generic.
Microsoft is proprietary and not generic.
Re:Microsoft controls compoter booting (Score:4, Interesting)
Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.
This is significant. What is the difference between having your computer pwned by some kind of boot-time virus that feeds your info to criminals, to having your computer pwned by some kind of government official who is also a criminal?
There is no other way to look at this situation than to accept that it is an abrogation of a basic freedom - to run whatever the hell we want on hardware we paid for
Re: (Score:2)
Microsoft is in bed with the US government at high levels so i don't think your letter will go anywhere.
This is significant. What is the difference between having your computer pwned by some kind of boot-time virus that feeds your info to criminals, to having your computer pwned by some kind of government official who is also a criminal?
There is no other way to look at this situation than to accept that it is an abrogation of a basic freedom - to run whatever the hell we want on hardware we paid for
Your heart is in the right place, but I think you are missing an important piece of the big picture. You do not have any basic freedoms -- you have only those freedoms that the law allows you to have, along with the the ones you choose to exercise in defiance of the law. Your freedoms change as the law changes, so the idea of a "basic" freedom is a bit of what Gilbert Ryle called a category mistake -- it's a non-starter if you are trying to premise an argument with it. That is reality. You certainly can
Re: (Score:3, Interesting)
Why in hell did the world give Microsoft control over computer bootup hardware?
The world didnt. Microsoft, along with a handful of major hardware vendors did. This is what monopolies do.
Why don't you list the rest? (Score:2)
Everyone keeps mentioning Microsoft like they thought up this whole UEFI thing. Well guess who else is also a "promoter" company.
AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies.
Re: (Score:2)
Re: (Score:2)
All of them. Apple isn't using it yet but I'm sure its inevitable.
Re: (Score:2)
Because collectively we're a bunch of dumb bastards, that's why.
But the good news is that this new multi-bootloader is effectively a crack for UEFI secure boot. Virus writers could use it for boot sector viruses, putting the situation right back where it stood before, but with more complexity...which is probably the best we could hope for at this point. Boot sector viruses were an extreme rarity before, and I don't see them being any more common now that most Windows users aren't running with admin privileg
Re: (Score:2)
Last I checked, this bootloader prompts before booting anything, i.e. it would be blatantly obvious if you used it.
Re: (Score:2)
If this bootloader is used for viruses then Microsoft will blacklist it and you won't be able to use it. The next bootloader will then need to be more secure until we have no more boot sector viruses.
I don't think you actually understand the problem. How do you differentiate between a boot sector virus and a custom built Linux system booting off a signed grub loader? How do you differentiate between a legitimate LFS installation and a rooted LFS installation? How do you know the user doesn't WANT the rooted LFS installation, maybe they are doing very advanced hardware work and are using the equivalent of a rootkit to do it?
Re: (Score:3)
The redesigned bootloader has already been submitted to Microsoft for singing and once the signed version is received, The Linux Foundation is planning to provide it for free.
Why in hell did the world give Microsoft control over computer bootup hardware?
That's just insane.
The idea was suggested 16 years ago, you have Stallman to blame.
Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that. [gnu.org]
Re: (Score:2)
In return, the world got some marketing incentives for shipping Windows 8 on their computers.
That's just... wow.
It does not work yet... (Score:2)
... no story here, move along.
re: samsung (Score:2)
Who would have thought that just randomly poking memory of a laptop would brick it. Long ago Samsung told me that it was just fine to be doing this, and that there would not be any problems (I based the samsung-laptop driver on code that Samsung themselves gave me.)
Hmm... so the firmware is so retarded that bad values in RAM can permanently break the hardware?
That sounds safe. Hope that thing comes with ECC RAM!
Re: (Score:3)
Samsung UEFI (Score:2, Interesting)
So ... does this mean Windows installs are just as vulnerable to a malicious piece of code poking bits to the wrong memory addresses and bricking the laptop? since it's an UEFI problem, it should be OS-agnostic.
Re: (Score:2)
Yes, but Windows requires signed drivers.
Samsung's response? (Score:4, Interesting)
Has anybody seen confirmation that Samsung will be repairing affected user's machines under warranty? Definitely a design fault, it should be impossible for software to brick hardware.
No... (Score:2)
Re: (Score:2)
One way to do this is have a pre-boot manager that has its own PROM and flash, and when an OS boots, it sets a hardware flag that makes it own PROM and flash unwritable (or even unaddressable) until the whole hardware is reset (which always runs that PROM). An alternative is to have a separate small CPU with that PROM and flash, to run the controller and thus is fully isolated from the main CPU. In this alternative, the small control processor could still be running even when the OS is running on the main
Samsung didn't follow the standard. Linux did. (Score:5, Interesting)
More specifically, Samsung tried to implement version 2 of the standard and advertised it as version 2, but accidentally left in code which required version 1 behavior. Additionally, if an OS implemented version 2, when Samsung's firmware got confused, it didn't throw the proper error message, but instead returned it's own address to be overwritten. So at least two failures on Samsung's part. Linux simply followed the standard as written.
Re: (Score:2)
Nothing Has Been Fixed With Samsung Laptops (Score:5, Informative)
More reasons to disable/remove it. (Score:2)
While there might be a good use for something like SecureBoot, answering to a manufacturer (whether it be Microsoft or anyone else) only makes avoidance or removal the only good decisions.
Same thing goes with TCPA/TCG equipment.
Re:Isn't this, "also Linux works round Samsung bug (Score:5, Informative)
The implementation in Samsungs UEFI shows some weird behavior. Error code EFI_INVALID_PARAMETER should only be returned, if one of the given pointers to variables is NULL and pointing to an invalid memory section. Samsungs implementation also throughs this error, if the given memory blocksize is not exactly 128 bytes, so for example (like the Linux-efivars module does) 1024 bytes. The Linux module does not expect the strange error code (it checks for NULL pointers itself) and does not report any UEFI variables, no boot entries, no nothing. The installer accepts that and installs the Linux boot entry into the first slot, where actually the boot entry for the setup is located - overwriting that entry! Setup is dead since Linux took its boot entry.
It does look like the Samsung implementation is doing weird things and Linux is doing weird things in return because it is expecting it to follow standards...
Re: (Score:3)
No. (Score:2)
How about BSDs? (Score:2)
Re: (Score:2)
Only if user can set the keys, not MS / NSA.
So secure boot IS a feature which Linux would benefit from, too. Thanks AC.
Re: (Score:2)
On x86, you can -- for now. On ARM, you can't -- at least if it is Windows 8 certified.
Re: (Score:2)
And so ... UEFI and Microsoft must die!
Yeah (Score:2)
Its called "disable" and is written into the UEFI spec. You don't have to run it. This has as much impact as those TPM chips that everyone here claimed would kill Linux back in 2005 or so.
Re:Yeah (Score:4, Informative)
It is not written into the UEFI spec. In fact, the UEFI specification makes no such statements with respect to it being possible to disable secure boot, only how it is supposed to work. That was done deliberately.
The only reason you can even turn off secure boot on hardware now is because Microsoft caught shit for the first pass of their guidelines that left it up to OEMs whether or not users would be able to turn off secure boot. Had they left like that you can guarantee that Samsung et. al. would have locked every laptop and desktop they shipped with Windows 8 and you would never actually own your PC again.
I bet Samsung is more pissed that Microsoft changed it so they had to allow for unlocks than they are at their own developers.
Re: (Score:2)
Care to provide a link to the documentation supporting your claim?
There is the key problem.. (Score:3)
Re: (Score:2)
The key installation process could remain completely in the BIOS. First, the OS verifies the boot image with the installed keys. If that fails, it looks for the key in a standardized location. If no key has yet been installed (which means this is the initial installation boot) it just installs that key. Otherwise, it asks the user for a fingerprint of the key, which for bought OS versions can be entered from the installation instructions (very much like the product key today), and for self-signed bootloader
Re: (Score:2)
A handful of nerds will never even be noticed when hundreds of millions of normal people continue to buy without any knowledge