And even then if they have the option, the entire process is designed to make the user feel as uncomfortable as possible while doing it. Disabling perfectly unrelated features (e.g. fast boot), going through Scary Boot Prompts, etc. are NOT acceptable requirements for booting a non-MS OS.
It's not the first time a vendor disables the MS UEFI CA signature by default (e.g. Microsoft itself has done it on ARM _and_ x86 Surfaces).
For the record, Google has also been doing the same for a lot of time now (Scary Boot Prompts if you try to run Linux on bare metal, but all is fine if you run containerized Linux on top of Google's OS). They don't get a free pass from me, either.
> Disabling perfectly unrelated features (e.g. fast boot), going through Scary Boot Prompts, etc. are NOT acceptable requirements for booting a non-MS OS.
There is Windows fast boot and UEFI fast boot, which are two diffent things. Sometimes vendors support only Windows fast boot, and at least then it is perfectly acceptable to force removal of that option.
Also, for example the purpose of secure boot is to prevent modification and changes on boot options and underlying files, which makes it also to be fine to force disabling, until you set new keys for your new OS.
A regular Ubuntu update on my XPS 13, an officially supported combination, broke my wifi. Since then it has also somehow broke itself in some other fun way such that there are now package conflicts and it's unable to update itself anymore as a result.
And that's ignoring all the general usability issues like the subpar battery life, the dreadfully terrible state of video playback, the touch screen constantly causing gnome to glitch internal state and get confused, etc...
On my Debian desktop I had a webcam completely take out the USB stack. Like all ports just dead, had to yank the power to reboot. I also had a btrfs array just go read-only for seemingly no reason after restoring from standby, and it wouldn't tell me why. After a reboot all was suddenly fine. Also it took an awfully long time to get that machine working after having been powered off for 3 months. If you go too long without updating, it seems all the package migrations just bitrot and break.
But yeah, year of Linux on the desktop. Any day now.
I saw some of those problems with Ubuntu 20.04 on my recent XPS13. I shifted to 20.10 which resolved almost all of them, and once 22.04 came out there are no more issues. Admittedly, I did a fresh install vs an upgrade.
I run dual monitors on docking station with lots of peripherals.
> I honestly do not comprehend why so many folks base things on it.
In this case it's literally the OS offered by Dell for the XPS 13. It's as official an option as you will ever see, so the fact that such a pairing is still a broken disaster is pretty significant.
I could switch to a different distro, and I might. But distro hunting is exhausting. And it itself represents a never ending treadmill of churn. Like right now it seems like Fedora is a good option, and so are things like PopOS or Manjaro. But rewind the clock 5 to 10 years and some of those didn't even exist, or were not nearly as good of choices for "regular consumer usage." Whose to say I'm not just going to be stuck with yet another "oh, that distro used to be good but now it sucks, switch to foobar instead" in another few years? I'm more likely going to just switch it back to Windows if I'm going to get over the "back everything up & reinstall from scratch" hurdle. I at least know with Windows that I won't have to do a reinstall dance on this machine pretty much ever again. Having Linux for the better development options is nice, but with how good VMs are (and with things like WSL), running it bare metal kinda isn't all that necessary.
> Debian 11 was released less than a year ago, in August 2021.
Keep in mind though that it was branched and package versions frozen ~6 months before that.
I like debian and use it on some things, but for a personal computer I always found it frustrating that the software was already half a year out of date on release day. Software getting released today wont be in Debian stable until 2023.
I have no problems with Debian, but I think their release deltas should be cut in half. Firefox is deprecated on Debian, and that is their officially supported browser.
I know that the whole point is stability, I just think that for home desktop users it's not a great experience.
Fully agree and I had similar experiences with framework. I think the majority of folks posting here are not typical users and find it natural to jump in the terminal, edit some setting, restart a service and tinker without realizing the effort involved and that that normal users don't -- can't -- do this.
My family is happily using only Linux since 10 years, I since 15 years ago. But there are a lot of "but", without my support (I'm a sysadmin) they could not, but half of the issues are not Linux only, so they needed support even if they were using Windows. The real question should be "why even non technical users should use Linux?" You should not give a supercar to drive to a novice driver, it could be dangerous for him and for others. Every OS has its use, maybe I'm snob, but if you're not able to manage Linux rough edges use MacOS or Windows, Linux natural environment was and should be datacenter. I won't trade server features, robustness for having a Linux desktop at all cost.
If you think Linux Desktop is in decent shape, your hardware choices must line up with those of your platform maintainers. Good for you -- but your experience will be very far from universal.
Some Ubuntu LTS highlights:
Ubuntu 14: By default, Dell display backlights toggle on/off 30 times a second
Ubuntu 16: By default, BIOS boots broken due to boot files landing in too high of a sector
Ubuntu 18: By default, Solid State boot drives break because /dev/sda was hardcoded
Ubuntu 20: By default, Bluetooth and fans broken. Never fixed. Sleep broken but fixed.
Ubuntu 22: By default, NVidia graphics get 100% screen saturation after install.
"Then don't use Ubuntu"
Ubuntu isn't my daily driver. It isn't even a majority of my installs. I'm using it as a benchmark for conservative linux choices because smaller distros tend to be worse, not better. I know this because I daily drive a less popular distro, and I also distro hop for fun, and these all tend to be worse, not better. Besides, many hardware and software vendors target Ubuntu, and "works on Ubuntu but nowhere else" is a very common problem. Across the board, the Linus Tech Tips linux experience is the rule, not the exception. Many desktop linux users just have selective community-enforced amnesia.
Look, I am super thankful for the maintainers. I have gotten so much more value from them then they have asked in payment, but Linux is nowhere near Windows in the "just works" department. That is to be expected, given the price, but the rhetoric has gotten out of line with reality. Desktop linux still has a lot of rough edges and new rough edges appear at a rate that is not converging to 0.
I've been using Ubuntu since 8.10 as my only OS. A HP nc8430 until 12.04, then a HP ZBook 15 since 14.04. Both laptops came with Windows (XP and 7.)
I had my share of problems but none as bad as the ones you wrote. Currently there are two problems
1. Poweroff is reboot, so I press the shutdown button when the BIOS starts. It has been like that for ages through more than one LTS but I shutdown very few times per year.
2. The fn brightness control keys don't work so I made two hotkeys to run a X11 brightness control program that steps up or down the backlighting by 5 points, 0 to 100. This is probably on NVidia's driver.
Everything else is fine and that's great considering that probably HP never tested these laptops with Ubuntu.
Two nuisances is still better than the alternatives: the very same hardware with Windows or an Apple machine with OSX (I can't stand the UI.)
Don't you need very specific hardware to get Mac OS to work too? I think it is useful when comparing OS environments to make sure you are comparing on the hardware that is optimal for each OS. And you can get Linux optimal hardware from a lot more sources than Mac OS optimal hardware.
The biggest issue is that on the Mac side, it is really easy to get the OS and the optimal hardware together, and know that it "just works". For Linux, we have several small vendors, and a couple larger ones, that have Linux-advertised hardware, but most of the Linux optimal hardware doesn't advertise itself as Linux (Android phones/tablets, Chrome OS, etc).
Same is true for windows, but due to prevalence of windows and the effort of MS (certified for windows program), most hardware tries to make itself work on windows. It also makes sense given that Windows still has 78.5% share in the market.
So, it is not that linux does not work with a lot of consumer hardware. It's that most consumer hardware cannot be bothered to work with linux and invests itself in working with windows.
There is also a factor in-kernel vs out-of-kernel drivers.
Nope. I can understand how you might prefer that I had been writing about workarounds, but I was not writing about workarounds. I was writing about the incorrect and alienating rhetoric coming from the Linux community.
There is such a firmware setting, hence "by default". That doesn't make it acceptable - the default security settings on a general purpose PC should not prevent booting alternative operating systems that don't compromise the security model.
So they are protecting your ordinary everyday users, while still giving any of us who need to boot from a USB stick or another partition the ability to do that with a simple BIOS setting.
It doesn't seem much different from the F12 menu that lets you select an alternate boot device.
How exactly does this mean they "prevent booting alternative operating systems"?
> No "ordinary" user was ever compromised by accidentally installing Linux making his computing less safe. This is complete fantasy.
That's incorrect. There is malware out there that can only work if you don't have Secure Boot enabled. The setting OP didn't disable, Device Guard, prevents the abuse of 3rd party signed bootloaders, another attack vector basically.
This is a step up for most people that ever stay on Windows and doesn't affect the slightest someone who wants to install Linux, they still have to boot from an external device or wish to change a few UEFI settings.
> Of course this is a mechanism to further advertise locking down general computing and nothing else. It is not new and security is a bad excuse.
Framing Secure Boot as some kind of Secure Boogeyman is not conducive, brings the discussion into tinfoil scenarios without any potential practical outcome (nobody is going to remove SB or DG).
As long as Linux vendors or people can get or enroll their own keys and disable any potential presets, it's a step up in security for everyone.
Note, this is about not booting from signed and verified bootloaders, using the 3rd party Microsoft CA, which need to go through quite some hoops already to get verified, not some unverified and/or unsigned loader.
Debian, Fedora, ... use already trusted and signed bootchains, but they are excluded by choice without any benefit of security whatsoever.
IMO this smell again like classic Microsoft EEE...
> Framing Secure Boot as some kind of Secure Boogeyman is not conducive, brings the discussion into tinfoil scenarios without any potential practical outcome (nobody is going to remove SB or DG)
So, we're literally at the point where we have to disable parts of chip (the Device Guard / Secure Core / Pluton) in order to boot _any_ non-MS OS scenario, and you are still claiming that this is scaremongering ?
At which point it stops being a "tinfoil" discussion ?
> As long as Linux vendors or people can get or enroll their own keys and disable any potential presets, it's a step up in security for everyone.
Microsoft _already_ promised that there would be a way so that non-MS OS manufacturers would be able to sign their software so that it would NOT REQUIRE fiddling with the system firmware in order to boot them, even with Secure Boot enabled. This is what the UEFI CA was for. You just insert a SUSE USB pendrive, use the firmware boot manager (or even Windows own' "boot from USB device" option in the Settings panel!) and that's it.
Your system is no more compromised by this CA than by allowing MS OSes in the first place. This CA is MS, too. They vet everything they sign. They blacklist stuff that could have been used to compromise devices. They have forced GRUB among many other distributions to align to their whims in order to be signed.
Removing this key and relenting on this promise (which actually they have already done several times) means that there is NO WAY for a non-MS operating system to transparently boot on Secure Boot hardware. You have to fiddle with the system firmware, battle with a lot of Scary Boot Prompts that will drive many users away (even advanced ones!), and with the easiest option likely being to disable Secure Boot altogether which per your own words will reduce the security level of users.
Not to mention of the unfair advantage MS has since their OSes will still boot transparently on these hardware, no matter what the firmware settings, no matter if the device came with no OS or even a Linux distro to begin with.
I have already claimed that MS revoking a distro's signatures is basically a death sentence for that distro. Here we have an article about a manufacturer revoking _all_ distro's signatures, and you claim that "this is not a conductive discussion" ? Give me a break.
> So, we're literally at the point where we have to disable parts of chip (the Device Guard / Secure Core / Pluton) part in order to boot _any_ non-OS scenario, and you are still claiming that this is scaremongering ?
Yes, because the same way you have to enable booting from an USB stick.
> At which point it stops being a "tinfoil" discussion ?
See my last sentence in my previous comment.
> Not to mention of the unfair advantage MS has since their OSes will still boot transparently on these hardware, no matter what the firmware settings,
Making a fresh install of Windows is equal in complexity, but it is preinstalled more often certainly.
> Removing this key and relenting on this promise (which actually they have already done several times) means that there is NO WAY for a non-MS operating system to transparently boot on Secure Boot hardware.
That's not a case with Secure Boot alone, it's a case with Device Guard. Device Guard you can disable. It's a toggle like all the rest, no promises broken.
> I have already claimed that MS revoking a distro's signatures is basically a death sentence for that distro. Here we have an article about a manufacturer revoking _all_ distro's signatures, and you claim that "this is not a conductive discussion" ?
> Yes, because the same way you have to enable booting from an USB stick.
NO. It's not the same way. On most if not all devices I can boot from a USB stick literally from the Windows settings panel itself (search for Advanced Startup)! No need to even see how the system firmware looks like. Even on hardware as "locked down" as x86 MS tablets, I can hold Volume Down key during boot to boot from a USB stick. Again, enabled by default , and no need to even look at the system firmware !
From that point on, _if the UEFI CA signature is installed_, the distro's setup experience takes over, which is already under the control of the distro itself.
> Making a fresh install of Windows is equal in complexity, but it is preinstalled more often certainly.
"Equal in complexity" to what ? Most distros and even Windows install can be done with your eyes closed and hitting the enter key repeatedly, specially if you are just overwriting whatever was on the computer before. Installing OSes are typically designed to be as easy as possible. We've had decades of improvements here, both for Windows and non-Windows.
Changing settings and disabling secure boot on the system firmware is NOT designed to be as easy as possible. In fact, many times it is explicitly designed to be as scary as possible, precisely for security reasons! (with the intentional addition of Scary Boot Prompts). But worst of it, this part of the experience is NOT controlled by the OS vendor ! That by itself is already suficient to have a completely unfair situation. No matter how much effort you spend on making your OS install flow as smooth as possible, your user still has to fight the system firmware... but only if you're a non-MS OS!
> That's not a case with Secure Boot alone, it's a case with Device Guard. Device Guard you can disable. It's a toggle like all the rest, no promises broken.
The promise is that there would not need to be a toggle to switch. That's what's been broken!
So what do you want exactly? For hardware to ship with signatures for every known variant of Linux, BSD, QNX, RedoxOS, Solaris, and OS/2 Warp? I'm honestly asking: what is the alternative you're proposing?
If you're just saying "it's not easy enough", well, that's a matter of opinion.
What I am describing above is just the current method. The one which is currently implemented in most x86 UEFI hardware save for apparently this one Lenovo laptop and some other "miscarriaged" hardware.
You do not even need to imagine "what I am proposing" because I am not proposing anything whatsoever: the MS UEFI CA signs non-MS operating systems.
This is not about the presence of Secure Boot, but about distrusting 3rd party CA's. For example, my Dell XPS, with default Secure Boot settings, will boot official Fedora builds. This will not.
A signed rootkit created by abusing either an existing signed bootloader or shim. Of course it will change some TPM measurements, but those only matter after BitLocker has been enabled.
The same vector is applicable for Microsofts loader, so not really one that only the externals are susceptible and again no benefit in security.
Microsoft doesn't signs arbitrary bootloaders, normally just the shim from RH that needs to have a list of earlier signed 2nd stage bootloader (versions) with now known security issues and reject them.
Then this doesn't matter, because you haven't set a password on your firmware and the attacker can just turn on the "Trust the Microsoft 3rd Party UEFI CA" option
The average user has Bitlocker enabled and sealed to PCR 7, because that's been the default for years. A drive-by malware infection will be blocked by that. The ones who aren't in that scenario probably aren't using hardware that has this configuration, so it does nothing to protect them. If you're looking for the set of people who have hardware that defaults to this configuration, and who are targets of adversaries performing bootkit attacks, and who don't have a Bitlocker configuration that's sealed to PCR 7, I'd actually be willing to bet that you're going to find 0 of them.
> The average user has Bitlocker enabled and sealed to PCR 7, because that's been the default for years.
No, very few models sold auto-encrypt because most have *the very least* one untrusted DMA-capable bus. They might even have Device Guard enabled, but that's often insufficient. Not to mention other reasons why devices might be considered noncompliant, like lack of HSTI (though that's more common with desktop motherboards, of which some might even have all other features Device Guard consists of).
At this point in time, I'd consider auto-encryption rare. Maybe in five years and a few refresh cycles.
> A drive-by malware infection will be blocked by that. The ones who aren't in that scenario probably aren't using hardware that has this configuration, so it does nothing to protect them.
No, because previous point.
> who are targets of adversaries performing bootkit attacks, and who don't have a Bitlocker configuration that's sealed to PCR 7, I'd actually be willing to bet that you're going to find 0 of them.
Me finding someone getting actually targeted? Indeed unlikely.
Me finding someone with some especially nasty variant of Emotet? Not at all unlikely.
Device Guard enabled devices certainly make life harder for attackers, even if BitLocker is not (auto-)enabled.
> No, very few models sold auto-encrypt because most have the very least one untrusted DMA-capable bus.
This is a malicious thing to say considering the context (the same problem would affect MS OSes too), and for all practically purposes: since Windows 8 _all laptops_ that I have been able to buy had Bitlocker enabled out of the box (to my annoyance), not to mention that it was practically standard IT police for any large Windows shop.
> since Windows 8 _all laptops_ that I have been able to buy had Bitlocker enabled out of the box, not to mention that it was practically standard IT police for any large Windows shop.
Please, the current context is "average user" not an "average enterprise". In the latter case I agree with your assessment.
It's not like I don't buy my laptops at the same places average users do. Can you show me one model of a laptop in sale today with Windows 11 that does not enable Bitlocker by default ?
Systems have been shipping for years without any untrusted DMA-capable buses (source: I audited a bunch of this in a large enterprise). Anyone who's currently shipping systems with the 3rd Party UEFI CA disabled by default who isn't disabling untrusted DMA-capable buses is selling snakeoil, and the ones who do aren't obtaining meaningful additional security by doing so.
> Systems have been shipping for years without any untrusted DMA-capable buses (source: I audited a bunch of this in a large enterprise)
That's your mistake here, you saw it in a large enterprise, the context is "average user".
> 3rd Party UEFI CA disabled by default who isn't disabling untrusted DMA-capable buses is selling snakeoil, and the ones who do aren't obtaining meaningful additional security by doing so.
Some of the buses that haven't been whitelisted are only internal, so technically not snakeoil, just won't let you auto-enable encryption.
Honestly onus is on you to prove that current hardware that disables the 3rd Party UEFI CA doesn't also enable TPM-backed Bitlocker by default, because all examples I've seen do.
I can certainy imagine someone trying out linux and accidentally nuking their windows partitions in doing so or having GRUB replace their bootloader and figuring out ??? to boot back to windows.
Giving the user more hops to jump through, when they want to try alternate (signed!) operating systems? Like, you have nice encrypted disk here, are you willing to lose it, when you flip the setting?
Funny thing here is that the feature OP stumbled upon, Device Guard, does prevent quite a few different malware preinstallation methods. Including the infamous Lenovo one.
This is ridiculous. Lenovo controls all the preinstalled software as well as the drivers that are shipped with the device. Any of them could install a Superfish-like thing at any point.
They may control those parts, but Device Guard won't let you install most rootkits. Starting from Secure Boot and Virtualization Based Security ending with Trusted Boot, the system should be capable of rejecting unsigned privileged components and remain secure. Then an AV is probably capable of detecting and removing actual malware.
Superfish was not a kernel rootkit by any measure of the word. You just have to install a new CA then a NDIS filter, neither of these is either a rare or even blocked operation since they are required for preinstalled software such as drivers or even an AV. There would be absolutely no difference on whether you used Secure Boot or not.
But worst of all: Superfish was actually _signed_ itself. MS has improved the level of vetting they do now, specially for kernel drivers, but how come anyone can still claim with a serious face that a signature requirement from one CA specifically improves security against malware _from that CA_ (or their associates) ?
> Superfish was not a kernel rootkit by any measure of the word.
I didn't say it was, you kinda ignored the context. The person who I replied to was asking how can they trust their Windows is genuine, I replied to them that the feature causing a stir here does protect against some types of malware.
It's a fair assumption that the next thing akin to Superfish would try to implant itself deeper, if given the chance, Device Guard does eliminate some of those ways.
> for preinstalled software such as drivers
If that driver is actually malicious then Early-Launch Antimalware alongside the kernel being protected, can get rid of it.
> There would be absolutely no difference on whether you used Secure Boot or not.
I wasn't talking exclusively about Secure Boot.
> But worst of all: Superfish was actually _signed_ itself.
Sure, now there's a toggle that won't trust some signatures that aren't as heavily vetted (amongst many other things). How is that "ridiculous" or "won't make a difference". Are you just looking for a reason to argue?
> [Device Guard] does prevent quite a few different malware preinstallation methods. Including the infamous Lenovo one.
Which is the infamous Lenovo malware "preinstallation method" ?
How would a signature system would have prevented malware that was literally signed by Lenovo _and_ MS from being preinstalled on a Lenovo OEM image shipped with Lenovo hardware ?
Yes, and I didn't call it a "kernel rootkit" as you said I did.
> How would a signature system would have prevented a malware that was literally signed by Lenovo _and_ MS from being preinstalled on a Lenovo OEM image ?
Because AFAIK Device Guard sets limitations to what WPBT can do. Not to mention it's likely that additional kernel and boot integrity helps against all types of malware.
I do want to use secure boot and TPM2 (I do, currently). Just not with windows. Why should be secure boot windows exclusive feature? Until now, it wasn't.
> device guard and secure boot are different things, related, but different.
The problem is that it can have potentially catastrophic impact. If the user enabled Bitlocker, and didn't save recovery key (it will happen for mainstream users), he can lose his windows drive when he tries linux.
As I wrote above, another extra-hop for those who would like to go off the beaten windows path.
So they steal different certificate from the same subject instead? (Both CAs are Microsoft's, and only Microsoft is signing).
The default for years was to boot from external storage, when the internal is not bootable. To change it, you would have to change boot priorities or manually use the built-in boot selector.
That's a message from the Windows installer. Normally you would have to remove the optical disc after the files are copied or change the boot order/devices when the first stage of the installation ends and the computer is rebooted. With this trick, you don't have to do anything.
It is legacy boot, not UEFI. And I vaguely remember that this message came from the boot loader on the CD, of all places. It was a convenience for the user, who forgot the CD in the drive.
A former work computer of mine (a Lenovo, too!) wouldn't boot one day. After some time trying to figure out the issue I discovered I'd left a (non-bootable) USB drive attached to the machine. Removed the drive and it booted fine.
Having said all that, this comment is all anecdotal, much like yours.
I think they should. My home PC, which is used for gaming, is not likely subject to an evildoer with a kali linux USB stick. So I should be able to boot it from MY USB sticks without any hassle. It should be a BIOS boot menu option.
If people in corporate environments want to disable this, they can set a BIOS password to keep others out of the boot menu.
If an attacker is in a position to jam a random fob into your laptop then they can just enter the firmware and change the config to enable it. If you're going to posit an attack scenario then please describe the entire sequence of events and where the attack would be prevented by this configuration.
I see it as quite feasible that an attacker could insert a fob or organise for a fob to be inserted without also having opportunity to reboot the computer.
That fob could then compromise the system when the computer was rebooted. The Lenovo bios setting being discussed would prevent that.
BTW Can you clarify if you think the feature from Lenovo is a good or a bad thing given your claim that it's very easy to disable?
The boot variables won't point at the device, and so the firmware will never bother to scan the device. The bios setting therefore provides no additional security in this scenario.
It happens at airports, coffee shops, etc. Anywhere there are people working in public places. Jam a fob in, force a reboot, ransomware now loaded (for one example)
Force a reboot, jam a fob in, hit F1, cursor down three times, tab, down five times, space, F12, ransomware now loaded, except:
System doesn't boot because PCR 7 is now different, just like it would be if you didn't have to do those additional (rapid) keypresses. This is not the threat model you're looking for.
Attacker leaves a USB stick somewhere on a parking lot, and curious employee plugs it in to see what's there, and reboots machine (or USB stick makes it reboot).
Wouldn't even call it "in depth", disallowing an alternative boot should be one of the first things any decent IT staff should do on any company machines, and therefore so should direct-to-consumer pre-installed tech like this.
99% of computer users are just consumers, nobody should have to think about security when they first get a new system beyond setting a password.
Then he did it wrong, because the point of the article is that systems signed with exactly this key are not trusted anymore. Only different key is trusted, and that key is used to sign Windows only and nothing else.
One could argue that distrusting platforms signed with MS's 3rd party certificate offers marginal additional security but that doesn't contradict the original point made about defence in depth.
> Whether it offers marginal additional security has yet to be demonstrated.
You're further limiting the number of images that can boot. This is a point you've made yourself so I don't really see how you need a further demonstration.
What you can argue is whether that marginal additional security is negligible enough be pragmatically worthless. And I'd probably agree with you there. However that doesn't dismiss the point that it does add a marginal additional security from the perspective of "defence in depth"[1]
I'm not convinced it does in any meaningful way. Maybe (again) marginally it might but it's trivial to disable and most Linux users are probably used to jumping into the uEFI to enable booting from install medias anyway (I know I am).
I'd argue your statement here requires a greater burden of proof than the one you're arguing against.
> You're further limiting the number of images that can boot.
That does not mean it improves security. If the images it allows to boot are less secure than those it prevents, it lessens security.
> I'm not convinced it does in any meaningful way.
It does booting Linux harder exactly to these users that it claims to protect.
So yes, it "protects" them from trying competing product.
> disable and most Linux users are probably used to jumping into the uEFI to enable booting from install medias anyway (I know I am).
Power users can do it; less experienced users consider that difficult, especially if they are not familiar with the concept. This all contributes to the image that Linux is difficult to install and use. Linux forums are full of discussions on this topic.
While it is just an artificial hindrance.
Would be it OK for Windows users to fiddle with UEFI settings before they can use Windows? If not, why is it OK for Linux users? Windows gets a clear advantage here.
> That does not mean it improves security. If the images it allows to boot are less secure than those it prevents, it lessens security.
I appreciate what you're saying but your logic doesn't really work:
- The only image allowed is Windows. Anything else is disallowed. Those images might be malicious (eg someone somehow stole MS 3rd party cert) or they might not. But not allowing them is more secure than allowing them because you're reducing your risk.
- Furthermore, saying some images allowed are less secure (ie Windows) than the ones that aren't (eg CentOS) doesn't mean this "feature" (if you can call it that) doesn't still add some additional security. Because (and at risk of repeating the above), this still blocks some additional images that might be a security risk. Hence it reducing your risk and hence it providing additional security from the perspective of defence in depth.
- The point of "defence in depth" is not to have a single security countermeasure that acts as a silver bullet against attacks. It's to provide a layered approach where cumulatively they protect you. This "feature" certainly fits that criteria.
This is why I said the question shouldn't be "does it provide additional security?" but rather "is that additional security significant enough to warrant the other impacts (such as those you've outlined?"
If you were to make that point instead, then I might agree with you. But to say it doesn't provide any additional security really misses the point of how security is evaluated.
> > I'm not convinced it does in any meaningful way.
> It does booting Linux harder exactly to these users that it claims to protect.
That's not a counterargument, it's a contradiction. I don't really see the point of a "oh yes it does" / "oh no it doesn't" pantomime style argument. If you are able to cite how the short activity of unchecking an additional UEFI option is significant enough to turn people off from the already complicated process of installing Linux then I'd be interested to see it. Otherwise we might just have to agree to disagree.
> Power users can do it; less experienced users consider that difficult, especially if they are not familiar with the concept. This all contributes to the image that Linux is difficult to install and use. Linux forums are full of discussions on this topic.
But how many of those people are buying ThinkPads to install Linux who are not power users? I'd wager if you were to draw a Venn diagram, those groups would barely, if at all, intersect. And more often than not, you have to alter UEFA parameters to boot from removable devices regardless of your setting in secure boot.
> Would be it OK for Windows users to fiddle with UEFI settings before they can use Windows? If not, why is it OK for Linux users? Windows gets a clear advantage here.
This I do 100% agree with. I never liked secure boot to begin with because of exactly this reason. Still dislike it now and certainly don't agree with what Lenovo are doing with regards to the original topic. But that is an entirely separate point to the one made previously about defence in depth.
Here I think lies the issue of our discussion. You're arguing against a technical point with an emotional claim of morality. While I completely agree with your point about morality, it's doesn't address the technical point you're trying to argue against.
> - The only image allowed is Windows. Anything else is disallowed. Those images might be malicious (eg someone somehow stole MS 3rd party cert) or they might not. But not allowing them is more secure than allowing them because you're reducing your risk.
> - Furthermore, saying some images allowed are less secure (ie Windows) than the ones that aren't (eg CentOS) doesn't mean this "feature" (if you can call it that) doesn't still add some additional security. Because (and at risk of repeating the above), this still blocks some additional images that might be a security risk. Hence it reducing your risk and hence it providing additional security from the perspective of defence in depth.
However, that is not increase in security. It is to increase the lockdown. And increasing lockdown is a poor proxy for quantification of security of specific images. It is easier, with that I can agree.
By the same token, locking out Windows images and allowing CentOS images also increases the security, but then the argument would not be about security anymore, but change to convenience of majority.
> If you are able to cite how the short activity of unchecking an additional UEFI option is significant enough to turn people off from the already complicated process of installing Linux then I'd be interested to see it. Otherwise we might just have to agree to disagree.
You had exactly that in the TFA. It invalidates PCR7, thus invalidating the TPM secrets. If the user uses Bitlocker and didn't save the recovery key, he just lost all his existing data by flipping that option.
It is another significant hoop the users have to jump; and it just happens to more complicate Linux usage. Those incompetent Linuxers, cannot make anything user-friendly...
> But how many of those people are buying ThinkPads to install Linux who are not power users?
Many normal users are not thinking about Linux when they purchase their gear; they will want to try it later, once they used the hardware for a while. If this wasn't a case and users would do research ahead of purchase, the majority of hardware problems under Linux would not exist.
> You're arguing against a technical point with an emotional claim of morality. While I completely agree with your point about morality, it's doesn't address the technical point you're trying to argue against.
My point is that it is not a technical issue. It is political issue masquerading as technical one. So a party A designs a system that favors products of party A and it just happens to thow a curveball at everyone else. Color me surprised. Real technical problem would not favor a specific party.
> However, that is not increase in security. It is to increase the lockdown.
In this instance it is both
> And increasing lockdown is a poor proxy for quantification of security of specific images.
You do realize that locking stuff down is one of the core tenants for securing systems?
> By the same token, locking out Windows images and allowing CentOS images also increases the security
If your system is shipped to run Linux then yes, locking out Windows images would increase the security.
> but then the argument would not be about security anymore, but change to convenience of majority.
You're flip flopping all over the place with different topics. If you want to talk about convenience then I agree that locking systems down affects user convenience. It's a well known adage that security is usually a trade off between convenience and protection. But you weren't talking about convenience, you were talking about security. Which is why I've been talking strictly about security.
With the greatest of respect, you're coming off a lot like you don't really know this subject matter considering how poorly you're sticking to topic and how you're misunderstanding even many of the basic principles of security.
> It is another significant hoop the users have to jump; and it just happens to more complicate Linux usage.
I agree it's another hoop but you haven't yet demonstrated how it's significant despite me asking you to substantiate that claim a few times already. It feels to me like you're just throwing in adjectives for dramatic / emotional effect rather than having a rational conversation here.
> Those incompetent Linuxers, cannot make anything user-friendly...
Why should you care what other people think about Linuxers. Just use the platform you want to use instead of seeing this as some kind of holy war where you need to convert Windows users into Linux users.
> Many normal users are not thinking about Linux when they purchase their gear; they will want to try it later, once they used the hardware for a while. If this wasn't a case and users would do research ahead of purchase, the majority of hardware problems under Linux would not exist.
I've been using Linux since the 90s (and as my primary OS since XP was released and BeOS deprecated). I've never once shopped around for Linux compatible hardware and never once ended up with a machine that couldn't run Linux because of it. Peoples complaints about Linux compatibility are, in my experience, largely over told.
> My point is that it is not a technical issue. It is political issue masquerading as technical one. So a party A designs a system that favors products of party A and it just happens to thow a curveball at everyone else. Color me surprised. Real technical problem would not favor a specific party.
I think you're talking this far too personally. The simple solution here is you can just buy someone else's equipment instead. Getting angry on a forum isn't going to change anything (tbh neither is boycotting Lenovo but at lead doing that can give you some level of control).
Changing the setting and booting an OS signed with the 3rd party signing key will result in a different PCR 7 measurement, which will result in the TPM refusing to release any secrets that would be required for the system to boot.
Anyone enabling BitLocker or any FDE really, should know to back up their recovery key so that they can access their data, should automatic unlocking fail.
Well yeah, but you asked about ordinary everyday users. And the best I can come up with is that it's marginally harder to load a foreign OS and access an unencrypted drive. You can't just plug in a USB stick and power cycle the thing.
Though I'm not sure if it's worth it, especially not if changing the bios is just a matter of seconds anyway (ordinary users probably won't put a password on it).
Oh yeah absolutely. Any docs advising people to set a password for security should also advise people to set the "Trust the Microsoft 3rd Party UEFI CA" parameter appropriately.
> [...] the firmware defaults to not trusting bootloaders or drivers signed with the Microsoft 3rd Party UEFI CA key.
The whole point of secure boot was that there is a known set of "good actors" who are trusted by default, so that you can boot 1. Windows 2. common Linux distros - without any fuss, and 3. Any other system - with a few extra steps to prove you know what you're doing.
They've de-ranked the set #2 and threw it in the bag with #3, which doesn't really do much at all to improve security, but it does inconvenience and disincentivise the users from using a Linux distro on this hardware.
It's most likely an honest mistake, a sign of incompetence, or a dick move. Write them an angry letter and carry on.
It's interesting as Thinkpads have always been a reliable laptop for linux users - I'm typing this on linux on a t470 (my previous t410 had given up the ghost), but I bought my first thinkpad back in 2000ish, with a pcmcia wireless card.
> They've de-ranked the set #2 and threw it in the bag with #3, which doesn't really do much at all to improve security, but it does inconvenience and disincentivise the users from using a Linux distro on this hardware.
Well no, it's not Lenovo really, it's Microsoft and its Device Guard / Secured Core that has done so. You can disable that just as easily as you can boot from an USB stick.
Some additional context: when the system boots, the secure boot key that was used is recorded into PCR 7[1] in the TPM. This means that booting an OS signed with the Windows signing key will result in a different PCR 7 value to booting an OS signed with the 3rd party signing key. If you care about which signing key was used, you can provide a secret to the TPM and ask the TPM to only release (or make use of) that secret if PCR 7 has a specific value. This means it's possible to configure an OS such that it will only be able to access its secrets if PCR 7 has the expected value. An attacker who intercepted the laptop before it was delivered to its owner could obviously subvert this by sealing the secret to the incorrect PCR 7 value, but such an attacker could also just reconfigure the firmware to trust the 3rd party CA before the owner received it. There isn't a clear description of what threat model this design is intended to protect against, or why alternative approaches weren't used to achieve the same goal.
[1] Modern TPMs have 24 PCRs that can be used to measure different parts of the boot process, but the general expectation is that only 0-7 will be used by the firmware. On UEFI systems, PCR 7 contains information about what the platform's secure boot policy is, and which keys were used to verify the boot process. Booting something signed with a different key will result in PCR 7 having a different value, which is something that can be detected by tying encryption keys to specific PCR values.
No contest, but if you are actually a person who is paranoid about this but still requires to have access to Windows software (in an enterprise setting), you would actually check the UEFI and reinstall Windows. If you're actually being attacked by state-sponsored actors the risk management is so different that I don't think it can be discussed here fairly (mainly because it's a case-by-case matter).
Secure Boot ensures that it's impossible to run a rootkit, even if the user accidentally installs one. Instead of booting into corrupted Windows, the system would fail to boot.
It's definitely harder, but not impossible. The Realtek signing driver was stolen multiple times already, and I personally know that certificate management practices (in Asia in general) is abysmal.
I generally agree with that, but I don't think that holds for Lenovo. Wasn't it Lenovo that compromised the security of Windows by installing a keys-included general purpose root certificate?
I'm a Linux fanboy. I don't mind having to change a thing in bios once. I care more about the standby sleep instead of S3 and other shenanigans messing my daily experience.
Tell that to anyone who can barely get past the Ubuntu installer. Every step making installing alternative OSes harder is newsworthy, for the simple reason that every bit more difficult installation means literally fewer users capable of getting through it.
But I think that's... valid? Like, if you're a person able to install (and use) a typical linux distro, on a totally open and free-range PC, then you're near-definitely also a person who knows how to use the BIOS. You were probably already in there switching the default boot device. That is, of course, assuming there is a BIOS option to disable it, which hasn't been confirmed or denied.
The reality is: installing a replacement OS post-sale is never, ever going to be the way to grow linux marketshare, if that's what you care about (it shouldn't be, but some people live-and-breathe year of the linux desktop so whatever, you do you). Its a lot more important that it ship with the hardware, and extreme attention to detail has gone into making sure it works well with that hardware. Certainly, some vendors already do this. Moreover, I'd also argue its even more important that that hardware be modern and desirable; the only vendor I've seen pull this off is Dell (genuinely sorry, because I love what Framework/System76 are doing, but their machines look like branded OEM Clevos, because they probably are, or were in the recent past. I support them; I own a Framework; but only because I want them to do better, not because what they're doing today is enough).
What I'm saying is that installing an alternative OS should be as simple as plug in the USB stick, reboot, select "bloody well install this", enter your username and password, done. OEMs, with pressure from Microsoft, are making this harder every year. Of course OEM install is the gold standard, but I suspect we're ~[MS budget]/[all Linux businesses combined budget] years away from that. In the meantime, let's move on from 90s UX[1] and actually make the process easy on users.
[1] UEFI GUIs are an improvement, but they still have 95% of the same usability issues of text-based BIOS: 1000+ settings with no hint what each of them means, XTLAs only understandable by hardware+kernel experts, unfamiliar interaction patterns like not having a big friendly button to just save and reboot, and so on.
a better solution would be to force vendors to have both OS preinstalled, and allow users to choose the default at boot, like the EU did with browsers some time ago.
First of all, this is not true. Anybody can install a distro like Linux Mint or Ubuntu, it doesn't require any tech knowledge. Many Linux distros are perfectly fine for the average user. Second, requiring complicated BIOS changes constitutes an artificial hurdle for any Linux distro to be easily installed by an average user. So even if you were right, the measure would also ensure that future versions of Linux that are decidedly more beginner-friendly would be prevented from being installed, creating an artificial, anti-competitive barrier.
In a nutshell, this is bad no matter how you look at it.
> Anybody can install a distro like Linux Mint or Ubuntu, it doesn't require any tech knowledge.
What you think as "not tech knowledge" is a serious skill that is severely lacking in billions of people.
The user needs the install medium, they need to get it, download it, create it, get a USB or blank CD/DVD, etc. They need to either have the courage (or curiosity or aloofness or determination) to modify their computer on such a drastic level, they need to understand abstract concepts, follow a written manual that uses those concepts, they need to recognize those abstract concepts as they are implemented on the computer they are currently tinkering with, and so on, and so on.
> In a nutshell, this is bad no matter how you look at it.
True, but it's bad because the whole "personal computing" thing is bad. This detail is largely irrelevant.
WYM, it's for tech savvy geeks, and also tech curious teens and also parents who refuse to upgrade a machine that's not capable of running newer Windows versions and also for...
I was 12 when I first installed linux and barely knew what I was doing. I easily would have given up if I couldn't figure out that my machine had a secret hidden bios setting. I learned a ton from that experience, that easily could have been missed if I'd happened to own one of these anti-competitive machines.
Installing a user-friendly linux distro has gotten quite simple too, requiring only a couple simple steps using some clean tools. Modifying hidden BIOS settings is a significantly more complicated leap than the plug-and-play imaging tools available today.
Ubuntu is certainly for the average user. I just installed 22.04 on my mum's ancient laptop after she's been complaining for years about it being too slow to use. No tech support so far, and she says it's blazing fast compared to the old Win10 installation. She's used Windows since the 3.11 days, so finding the "start" menu and a browser must've been a cinch. GNOME is probably less of a UI shock than Win10 was.
Asking her to install Ubuntu herself, though, would be another matter entirely. Installing any OS (including Windows, since it's about as complex as Ubuntu these days) is way beyond the skill level needed to actually use it.
Only on hacker news would people be so far removed from real life that they would say 'Ubuntu is for the average user'
And as you said, most people would not be able to install it let alone the fact they likely have no idea what it is, so in relation to this post about consumer lenovo laptops, it's irrelevant and doesn't matter to the vast vast majority of people.
> Linux is not an OS for the average user, it's for tech savvy geeks and an extremely small subset of those people too.
I recently installed Linux Mint and Windows 10. Linux was faster and easier to install, and has a friendlier UI. Have you seen the Windows start menu recently? It's cluttered with crap: I couldn't figure out how to do basic things with it, even searching was hard. You might do everything through the command line, but that's not the only way, the GUI does work.
Software's a different story, though a lot of things are online these days.
Nope. Hitting Enter or F1 brings you into Windows diagnostics rather than BIOS, at least on the Thinkpad X13 Gen 2 Ryzen Pro subnotebook w/ useless Windows installed a customer sent me for a project, and that is now contributing to a growing number of 3 bricked (brand-new!) latitude/precision and thinkpad notebook trash I'm accumulating at home. With the current state of non-existant quality in PC notebook hardware, I'm not going to buy anything except Apple hardware. Right now I'm back to using a 2016 XPS, with my 2019 Thinkpad collecting dust (and blocking its crap trackpad due to it); it's not that there are news regarding x64 performance since over ten years anyway.
A bit off-topic, but Windows changes boot order for Windows first every time you boot for Windows. This is so annoying when you are regularly booting to different OS.
The fix for this used to be that you'd just install the systems on different physical drives. Changing their boot order in Bios during install so Windows is going on the primary/boot disk. You then swap them back and update grub on your Linux side. When you use grub to boot windows it temporarily re-maps the drives before booting so that windows thinks it's the only OS on the primary drive and is happy without touching your grub setup on the 'real' primary drive.
On the other hand, having dualboot with Linux on my ThinkPad T490s managed to break my bitlocker on the windows partition every time Linux updated. Not sure why, as I really needed Windows for work I had to revert and didn't have enough time to really investigate.
Entering the recovery key is enough but the problem is my work uses software to rotate the recovery key and the last time the stored key didn't work. Probably it was just rotated but not updated in the system yet. So I had to restore fully and I removed Linux.
You might have used the same EFI partition for both, which is always unsafe.
In the future, better make own EFI partition for every OS unless you manually define directory hierarchy.
I did indeed. I thought it was OK to do that. I noticed they both made their own directory in the EFI partition. And it was what Ubuntu's installer did by default when it detected windows.
Good to know, thanks! To be honest in this day & age of virtualisation I hardly ever dual-boot anymore.
Haven't been following PCs for a while, is this now something that an OS can do? I've always assumed that boot order is a BIOS setting that's only accessible from the BIOS setup text mode thing.
Windows modifies UEFI settings on runtime. There is an API for that. Even setting password for BIOS/UEFI won’t prevent that as machine has been booted already.
Yes, under EFI the OS can set the boot order; you can do it yourself with the "efibootmgr" command on Linux. This is used for instance by fwupd to install firmware updates (it temporarily changes the boot order to boot into a firmware update loader).
It's the same company that prevents you from using whatever HDD you like or swapping out a wifi card in your laptop, a company with a constant itch to preinstall spyware/adware, etc. Limiting your choice in other ways is clearly not out of question.
If you want to explore Linux and don't know what BIOS is, it's probably better to be in a VM than trying to achieve dual-boot or totally wiping your Windows install.
Why should you care about your system firmware when you're running a modern Linux distro? I gave Ubuntu to people who had no idea what a BIOS was almost 18 years ago, and I promise things are better now.
If your can use Windows or Mac OS then you can use Linux. What does BIOS have to do with it?
My non-technical wife has installed and is using Ubuntu. With this mentioned BIOS/UEFI block it would be much more tricky for her to get started.
That's the issue here.
It'd be one thing if it were a setting to disable some feature that Linux doesn't yet support. It's another that the setting is literally "refuse to boot anything not provably made by Microsoft".
Though keep in mind that'll limit your boot drive to 2.2TB in size. Not too much of an issue now for most people, but something to keep in mind during upgrades.
I've dealt with many laptops and its not as easy as you make out. In particular I've had to open laptops to set jumpers so I'm allowed to even make changes to the boot settings.
Agreed. I’ve done this process and it didn’t even occur to me that this was done nefarious practice. It’s to prevent some typical user from getting his machine pwned.
And this isn’t Evil Microsoft dictating what vendors can do. I can install Linux on my Surface device.
You're preaching to the choir. HN mob has its pitchforks sharpened and torches out for anything PC/Microsoft related, regardless of rime or reason.
If the PC laptop would boot by default, off of any random USB plugged into the laptop, then HN mob would (rightfully) cry that this is a major PC security issues and that's how grandma could be pwned and get scammed, unlike a super-secure M1 MacBook which won't boot any other foreign OS by default without major hoop jumping.
If the PC laptop doesn't boot by default off of any random USB drive (just like a Mac), requiring the user to go into the BIOS and change this setting first, then it must be malice from Microsoft and the PC OEMs to restrict user freedom and destroy Linux's 2,43% PC market share.
> then it must be malice from Microsoft and the PC OEMs to restrict user freedom and destroy Linux's 2,43% PC market share.
It is ridiculous that people still downplaying Linux's PC market share when the latest version of Windows ships NOT ONE but TWO Linux emulators/virtualizers BOTH designed to allow you to run Linux binaries (desktop & Android) under Windows in the most user-friendly way possible.
Obviously this is because no one Windows customer cares about Linux or Linux software.
AT THE SAME TIME they take steps (and everyday larger steps) to prevent booting the same Linux on bare hardware, making their virtualization options more attractive for both the regular user and the advanced user.
At this point we're way past the "assume incompetence" point.
>It is ridiculous that people still downplaying Linux's PC market share when the latest version of Windows ships NOT ONE but TWO Linux emulators/virtualizers BOTH designed to allow you to run Linux binaries (desktop & Android) under Windows in the most user-friendly way possible.
Mate, you're contradicting yourself here more than you are contradicting me. WSL and Linux as a main desktop OS are two completely different things, and nobody is downplaying Linux's desktop market share, which is <3% no matter how you try to spin it, those are the statistics.
You are arguing that MS couldn't care less about desktop Linux market share. I point that they have actually done steps to try to capture that market share. One (the only?) new feature in WSL in Windows 11 is the ability to run _graphical_ _Linux desktop_ applications. In addition, another new feature in Windows 11 is the ability to run Android applications.
How can anyone argue with this that MS couldn't care less about Linux's market share ?
With these changes, MS "accidentally" makes running non-MS OSes harder, and this includes both Android and desktop Linux, OSes for which they have as per the above shown an interest in capturing their market share. "Accidentally", the fact they become harder to run natively also makes their new virtualization features more attractive for users.
> then it must be malice from Microsoft and the PC OEMs to restrict user freedom and destroy Linux's 2,43% PC market share.
I can only parse it in two ways:
* Sarcastic version: Linux's 2,43% market share is ridiculously small and therefore it is ridiculous to consider that Microsoft must be trying to destroy that market share.
* Non-sarcastic parsing: Microsoft is malicious and actively trying to destroy Linux's 2,43% PC market share.
You're missing the key point which is that signing for other popular OS's exists and this solution simply ignores them. Not booting anything thats plugged in, sure. But this is not booting anything not windows.
And invalidate everything in your security processor, which will possibly brick your windows installation and nuke your files if you had bitlocker keys inside that security processor.
One weird trick to ruin your day, surely.
Edit: Looks like Windows has changed since I left it, please disregard this comment, thank you. The comment is left intact for context correctness.
You can’t be storing irreplaceable keys in the TPM chip, they fail all the time. Either you don’t really need the files on the disk or you need backup keys. And note, you can’t even turn on Bitlocker without being forced to save those backup keys.
> If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets.
Yeah but this is pretty bad in itself (really long number) when you're traveling. And needing the recovery key so often will lead to people writing it down and keeping it with the laptop so they're not locked out next time. Which invalidates the whole point of FDE.
The last time I had this the key didn't even work, my work rotates it regularly so something must have been out of sync.. Every Linux update seemed to break bitlocker this way so I stopped dualbooting.
But this has nothing to do with being able to boot Windows. The license key isn't in there. The TPM is used by apps to store secure data, which you wouldn't necessarily expect to even survive a reboot.
First, this is a feature of TPM (PCR 7 checks), even before Pluton existed. This literally existed in 2008 (and FSF was so scared of it because in theory it can be used for DRM, which is a valid opinion). You're spewing misinformation.
Also, for some people, they will trade-off the possibility of data loss as long as the data can be reliably destroyed if the data falls into the wrong hands. Maybe not for you, but it's there for enterprise.
Well, I knew right from the start when secure boot was first introduced that this is going to happen sooner or later. This is a slippery slope, and I'm sure eventually we'll have computers which will make this not only the default, but also the only way to boot.
The war on general-purpose computing is well underway, and I fear we'll lose it. The billions of already completely locked down computers (e.g. every iOS device) does prove that people just don't care, and many (including people here!) will even defend it that they prefer it that way. Eventually we won't have a choice.
Redhat (or Canonical?) had some almost smug FAQ post where they ridiculed the notion that secure boot is a "MS conspiracy" versus Linux. We will see how that turns out ...
I think we'll only lose in the way we 'lost' the open source code war. In that, it won't be as shiny at first, but we'll slowly take over the mindshare. Our stuff will always be better because of the freedom it provides.
And then someone like Microsoft or whoever will buy their way in, corrupt a bunch of xbox users into thinking they're the good guys again, and we'll start again.
And I sense there will always be a market for it regardless of what large companies who want the widest reach possible (But I am still waiting patiently for the open laptop + trackpoint-on-keyboard combo :) )
I have an honest question: How Microsoft is planning to restore trust in open source / free software circles?
We have seen pretty horrific things back in the day, and some of us can't trust you, even if we want, and some moves still relight this fire instantly.
I want a more friendlier computing environment overall, regardless of the OS we use, and want to be able to interop with other OSes on many levels (protocols, hardware, developers of said OS).
Does Microsoft has a plan for this?
Because Opening VSCode and slowly putting into proprietary domain & using GPL code in Copilot doesn't inspire trust, to be honest.
An engineer in the Kernel development does not have insights into any of these kind of strategies.
What you can see from the outside that this is a move of the Visual Studio management to preserve their revenue stream (against which they get bonus etc). It is just stupid incentive management with the idea that the developer division is a profit center (which it should not .. in favor of Azure).
This secure boot topic is IMHO related to some product manager thinking that Windows laptop should be protected walled gardens like Apple devices are.
Do you want the honest answer from someone else in the community?
They're not planning to, not really. FAANG + MS are so big that at this point they stopped caring about Open Source and Free Software. The licenses are intentionally permissive that every tool can be used internally if they need it (Linux, bash, etc) plus even more permissive licenses like MIT can be used in commercial products. With web services even GPL can be used in their commercial cloud services.
They control a huge chunk of Open Source anyway through their contributors.
Plus the level they compete at is so far from Open Source that Open Source basically doesn't matter. It's all services and clouds now.
Open Source had its moment circa 2005, now it's just asphalt. Yeah, we use it everyday, but nobody writes home about it.
I believe that you believe that, but I cannot believe that's true. Microsoft is far too big to care about any trends, including open source. They are simply doing what makes the most money within the time scales they operate. If that means supporting certain open source projects right now, that's what they'll do. If it means hindering open source adoption overall, they'll do that. Sources: ODF vs OOXML, terrible support for Linux across their application suite, this article, and a tediously huge list of things happening several times per year at least since the 90s.
> WSL is part of Microsoft's internal push to embrace open source.
WSL is part of Microsoft's push to eliminate Linux. Microsoft has always weaponized support. With one hand they support Linux binaries and with the other they force hardware makers to disallow Linux.
It definitely isn't an 'attack', they just simply have not enabled the correct keys. I strongly doubt that lenovo consider any tiny amount of Linux users in any support scenario.
Source: I work on the Linux kernel and met people who work on Linux kernel.
It may come with many secrets baked into the security processor already, like your Windows license, or you may have used your computer for some time, and stored some secrets with keys stored in the processor.
You'll lose these secrets and keys, forever. They may be private keys, decryption tokens and more.
You may not be able to regenerate them and get everything back.
Edit: Windows (license) keys are not in the TPM apparently, my bad, sorry. Keeping the above text for context correctness.
Nope, Windows keys are not in the TPM. Only BitLocker uses it in any common scenario and that you can disable before changing UEFI settings (or enter a recovery key), you can also use BL without a TPM.
I bought one of these laptops. It came with Windows 11. I followed the steps on Ubuntu website to flash a USB drive and the laptop didn't boot from it, despite selecting to boot from USB. After disabling Secure Boot from BIOS, I was able to install Ubuntu. Windows continued to work just fine.
iirc whatever cert grub was using has been blacklisted by Lenovo because of some recent security issue in grub (I can't find the details right now).
Whatever your stance on Secure Boot, this increases friction and raises the tech bar for people to install other OSes. I imagine that even a "power" user wanting to try Linux would be very confused and would probably give up after not being able to boot from USB.
The 3rd party UEFI CA is a compromise in Secure Boot. MSFT runs the CA but they don't sign binaries, just issue certificates to anyone who asks nicely.
Fedora, Ubuntu, and rEFInd were some of the first to get their own certs.
So it's more "They don't trust who microsoft trusts"
Microsoft absolutely still sign the binaries, and do not issue certs. Everything signed with the 3rd Party UEFI CA was signed by Microsoft, not any third party.
When will OEM's realize that forcing Windows on computer purchasers is less than ideal?
I don't mean to merely refer to this particular issue/non-issue.
I refer to the entire industry pre-loading Microsoft Windows on every new computer as IF this were the desire of everyone in the world.
I'm not suggesting that there isn't a market for Windows, I'm suggesting that an industry-wide forced-Windows-ONLY world is bad for the market, bad for consumers, and probably bad for OEMs... If it's some shady Microsoft OEM contract FORCING this to be the case, let's see an example. Didn't anyone challenge it?
Why don't Dell or Lenovo sell 10-20% Linux laptop preloads?
Surely one can understand that developers and plenty of other users require Linux not Windows, right?
Why are Linux preloads expensive and odd?
Why are more OEMs not ALSO selling Linux preloads?
A lot of these large volume OEMs depend on extra revenue from the Windows bloatware that they preload (antivirus, games, social apps etc.)... Usually they get a kickback based on volume sold.
This stuff largely doesn't exist for Linux, so they're missing out on this profit for any Linux preloads. It's also why you see Linux preloads mostly done by more boutique PC builders -- they've already charged a reasonable premium on the build.
it's time for law-makers to step in and force OEM's to have both systems preinstalled, with a choice at boot, like the EU did for browsers. linux doesn't even need more than a few GB of space so with todays disks the space is negligible.
The argument then is why just these two? What about the BSDs or DOS? What distro of Linux?
Realistically, the reason OEMs pre-install Windows has nothing to do with the storage space or even with the logistics for developing a "choose your os" program. It's that they get extra revenue from bloatware contracts.
Boutique PC or even laptop manufacturers are more than happy to provide Linux. They do not make enough machines to be viable for bloatware contracts, so for them it is often instead more profitable to get extra buyers by catering to niche user bases like Linux users.
oh, those two would be the minimum, you are welcome to add more. but only operating systems targeted at non-technical desktop users. so haiku maybe, but not BSD
and as a tech person, i would not care which linux distribution they choose. let the OEM pick one and use that as their differentiation point, if that's of any worth. ubuntu, fedora, suse, pop! os, whatever. it doesn't really matter, as long as there is an alternative to windows.
Both Dell and Lenovo sell Linux Laptop preloads. I think you may be overestimating the market for such devices.
As an anecdote, every developer that I know and I personally use Windows or Mac laptops and desktops. 1 guy in the group has a linux setup, but primarily uses Windows or Mac. While most of us have installed Linux on a device at some point, none of us use it as our daily driver. I'm talking about a network of roughly 100 devs that worked together or are a friend of a friend that chat on Slack daily. Yes, it is a small sample size, but it is relatively representative of what I've seen from devs at all of my previous companies over a 14 year software dev/engineering career.
Oh, Lenovo is shipping laptops? The cancellation of the last three orders I attempted to place with them left me under the impression that they weren't shipping them anymore...
> Trying to boot Linux from a USB stick failed out of the box for no obvious reason, but after further examination the cause became clear - the firmware defaults to not trusting bootloaders or drivers signed with the Microsoft 3rd Party UEFI CA key.
Isn't that precisely what the GP linked to? If it's just a matter of changing a BIOS switch then this is a non-issue imo.
It may be a non-issue for some developer folks out on here.
However, navigating the scary BIOS menus, in a foreign language, with technical jargon even I can't always understand (and I do assemble my desktops from parts). Even keeping running Ubuntu (or Fedora or whatever) on a new laptop would probably not happen for many non-technical folks, if this sort of 1990s level dark arts boot time shenanigans were encountered.
At least that's my experience with relatives and friends who need computers for non-technical work or entertainment. Not all, but most have found Linux overall nicer user experience than Windows, so this would be a net negative development. Defaults matter, so this is definitely an issue in my opinion!
The PDF linked to further up this thread describes the process of trusting the 3rd party Microsoft CA that the original article mentions has been distrusted.
This might be terrible news. Some of us Linux fans have been waiting for new Lenovo laptops featuring the next gen of AMD chips because they ship with RNDA2 GPUs.
RDNA2 is the most powerful open source friendly GPU out there.
This has been a long time coming for us Linux fans.
ThinkPad too, so not the budget line. So... guess Lenovo don't sell to me anymore. Dell's latitude are similar but were Intel-only last time I looked.
Anyone know the obvious replacement offhand? Ryzen + runs Linux.
edit: article says 'default' a lot, are we talking flash new firmware to get something working or changing a setting like secure boot = off, as they're not really comparable.
> edit: article says 'default' a lot, are we talking flash new firmware to get something working or changing a setting like secure boot = off, as they're not really comparable.
Just got a Yoga6. Had to go into BIOS and disable secure boot. Then F12 on boot to choose my SysResc USB, boot that. Add syslinux to existing EFI partition. Install Gentoo. Rsync /home from the old machine.
But it did take some fiddling with efibootmgr to fully purge the Windows shit.
MS still gets paid for the license, even when it's not used.
I tried installing Ubuntu on it and it was a nightmare. I am pretty sure Lenovo made this laptop so any OS other than Windows will not work well.
I had Ubuntu on dual boot for about 4 months. And I had to fuck with the BIOS at least a dozen times a week because something or other would stop working. Never happened to me on any other laptop I have owned.
Windows is a nightmare for me as a web developer. Ubuntu seems much easier to me and more intuitive somehow. Maybe I'll get an M1 Macbook or build a PC finally... :)
Really? Even after they were caught bundling Windows spyware on three separate occasions? Even after they used the BIOS/EFI to forcibly reinstall said spyware? Even after Lenovo was caught using Uyghur forced labor?
Nobody's perfect, and IBM has plenty to answer for, but Lenovo's been doing shady shit for years.
In which mjg finds out this was the plan all along, only now when the parade floats have stopped dead in their tracks and opened up to reveal the tanks inside:
I've been happy with my X13 Gen 2 AMD 32GB. Even has a nice screen at 2560x1600@400 nits. Keyboard isn't as good as my ancient Thinkpads, but still better than anything else on the market. I agree though that Thinkpad offerings can be all over the place, and quality varies.
Although, to be honest, I probably would have given up on Thinkpad/x86 entirely if they didn't offer AMD, because in my experience Intel mobile processors are terrible for pro work. I got so fed up with my T480s i7 thermal throttling at pretty much any task that I gave it away.
I believe if you are running a ThinkPad designed for Linux, you get a great Linux experience. I've found great Linux support on older ones that only target Windows. What do you think is missing?
The old ones (ivy bridge) are fine (for that generation). Current ones have regressed on several axes (worse keyboards, trackpads, soldered components), and have not really improved in any meaningful way. They still use poor screens, poor webcams (which are slowly being upgraded now due to macs), no ecc memory etc. Thinkpads are doing the bare minimum, nothing else.
I have a newish X13 and have owned several ThinkPads since the T40. It is the best made machine from them that I've used so far. The keyboard is still good, not as great as the X230 or previous (not full size). The memory is soldered I believe, but harddrive is not. Screen is fine. It is AMD and had a few problems to start with which have ironed out.
I would say, overall, this is an excellent machine for doing work and build quality is excellent. It's a shame that Lenovo have such dubious ethical standards.
I run a Lenovo X1E, which is supposed to be Linux compatible. The Linux experience is bad though. The Lenovo device drivers are just an incomplete buggy mess.
For some reason, people on HN praise Lenovo for Linux compatibility, but in my experience it is quite a bad experience. Yet, every time I bring up this subject, there is someone commenting about how their T430 runs just fine on Linux. Newsflash: the T-series is a 20(!) year old laptop, build by IBM.
Nowadays, the whole 'Linux compatible' thing with Lenovo seems like a marketing afterthought. My X1E is now a couple years old, and yet nobody at Lenovo bothered to provide any fixes for basic stuff like the ACPI driver.
At least the first gen had issues with linux sleep and battery drain. Build quality looks average. It's not a bad device; just not too compelling at the price point.
"After setting these two items, on the lowest brightness idle you will see the CPU hit C8 states on the second tab of powertop and the overall usage be roughly 2.5W if you have a single DIMM. Without ASPM enabled, the power usage will be between 3-4W."
Hanging around the Framework forums https://community.frame.work/ made me feel a lot more comfortable w/ them and I put in a pre-order for a DIY barebones system. To me the price difference didn't seem too bad (I have my own 64GB DDR4-3200 and 2TB PCIe 4.0 M.2s already).
Even if there's a premium, it's a bit weird to argue against the lack of "differentiation" since not another laptop manufacturer offers a parts store like https://frame.work/marketplace or the ability/support to swap or build your own expansion cards.
That's worked around, not really fixed. There are quite a few Clevo or other generic laptops that don't solder ram, storage, and wifi. That's 90% of what you care about. So framework's value add on top of that is not that high for the price premium. The expansion cards are perhaps useful, but I don't see the draw. Their barebones diy edition even before storage and ram is in the 1.2-1.5k range based on the processor. I find that a tough sell.
The mainboards are swappable at $400-1000 which means that if you like the chassis, your next upgrade would be considerably cheaper (and because the CAD files are available, you can easily buy or 3D print a case to use the old mainboard as a NUC). Although personally, the Framework doesn't seem so outside the pricing for the laptops I've been comparing it to anyway, tbt (in my case: ultrabooks that are Linux friendly with decent displays and that can get to 64GB of RAM) - the Slimbook Executive 14, Tuxedo Pulse 15 Gen2, Star Labs Starbook 14, are all around the same ballpark price. The HP Dev One is a bit cheaper, but on the flip side, the HP Elitebook 845 Gen9 is double the price.
As for the marketplace, the keyboard, trackpad, case components, battery, and displays are also easily replaceable/repairable, which certainly matters a lot to me and I'd imagine would matter a lot to people who are looking at being able to upgrade or keep using the laptop longer term, or that are concerned about value/TCO.
I think their are enough people that would be sold just on the "repairability" angle, but the modding culture stuff is cool too. I'm a big fan of some of the stuff happening, like this Eink display mod: https://www.youtube.com/watch?v=480xteW2wq4
I bought a Pinebook which was bricked almost instantly by a child gently tripping over a lead. The build quality was terrible, it wouldn't have happened with any other laptop I've owned in the last 15 years.
I should qualify this by saying that it happened on the day I first got the device. I was really excited to receive it, and it did everything hoped it would, but a gentle pull to the side on the power lead was enough to break internal components such that repair was out of the question, which is a real shame. This was one of the cheap 11" laptops, the bigger ones are probably better.
Yeah, I think Microsoft should get some slack here for selling Microsoft hardware that only runs Microsoft software.
If people want a general purpose PC that runs OSs other than Microsoft's, they should buy their hardware from a 3rd-party company that isn't Microsoft, who explicitly make a point of supporting other OSs.
This isn't going to be just Lenovo. Microsoft requires that the certificate in question is not part of the Secure Boot database for any device meeting/utilising the "Device Guard" functionality.
And as others have said, as long as you can enroll your own keys this isn't really a bad thing. It improves security by default for the default OS shipped with the device. You have to go away from the defaults to use Linux anyways, so one more toggle isn't going to kill anyone.
Do the USB 4 ports actually work as Thunderbolt 3 too?
I know the post is about the Z-series. Perhaps somebody already knows... It seems the AMD-based T14 Gen3 Thinkpads actually don't support Thunderbolt. Some people speculated, it is a firmware matter on AMDs side and will be added in the future but that doesn't sound reassuring at all to me. On the product pictures, you can clearly see the Thunderbolt lightning logos besides the USB-C ports but that doesn't mean anything.
Most Linux users are savvy enough to tinker with the BIOS for a couple of minutes and get rid of this thing. All this feature does is feed some MS / Lenovo exec power fantasy.
Which retains the high barrier of entry to Linux. Linux will never be mainstream as long as itself and the community primarily embrace tech savvies and nobody else
It may be a business opportunity. Order a bunch of Linux-unfriendly Lenovos, install Linux distro of choice, sell for a few <insert currency here> more.
True. But I think that is not a grab move but more a situation where they are competing with Apple on the security front (which for end users is a huge sales argument). And that competition with Apple and battle against hackers goes top-down everywhere.
99.9999999% of people will want Windows, if you are going to run a obscure OS then you would choose a machine that runs that best, so just don't buy one of these.
It's not up to hardware OEM's to support or even allow you to install some weird OS.
This attitude is kind of the ios-flavored "computers are appliances I license from the manufacturer at their pleasure" not "computers are general purpose devices I purchase and can then do what I want with"
Well as long as you know what you are buying when you buy it that is your choice.
You can't do whatever you want with most things that you buy and most consumers do not care like most hacker news readers do, people just want something that does the task they bought it for and don't need to tinker with it.
Most people buying a laptop don't really think of the OS is running, they just expect it to be Windows and assume that it is part of computer itself.
My Acer laptop has something similar, I tried to dual boot windows (preinstalled) and debian, debian couldnt see the hard drive no matter what I did. I'm assuming somehow Acer made it so the drive is only visable to windows
Windows Update is a delivery platform not just for OEM software, but also for component manufacturer software on self-built machines. Naturally, some of that software is shady as fuck.
Well, then let's just buy the good 'ol thinkpads and let lenovo go to hell. If they're good they reconsider that decision otherwise have to face the consequences.
There are very highly placed people at Lenovo (possibly as high as the CEO, but if not, only one or two notches down the org chart) who hate the amount of leverage Microsoft has over them due to the windows hegemony. And those people would love nothing more than to establish Linux as a replacement for Windows and kick MS in the teeth.
But.
Lenovo are between a rock and a hard place. Because today, whether they like it or not, Microsoft does have that leverage. And if Lenovo come out too forcefully in support of Linux (desktop Linux in particular), they risk having Microsoft screw them over. So as much as they might like to start shipping every laptop with Linux pre-installed tomorrow, they really can't. So they have to be selective and strategic about how much they push in that direction.
Source: was a Lenovo employee for a while up through 2019. Little was said about this internally through official channels, but it was all well known. I won't say any more or go into any more detail to avoid the risk of violating some NDA or something that might technically still be in effect or whatever.
I'm imagining it's a similar situation with Intel too, which explains why 90% of their models have Intel mobile processors, despite being outperformed by AMD.
Unfortunately Linux folks is a way too small market to influence these big corporations. We have to find better ways than "vote with your wallet", because our wallet is not even a blip.
You sponsor a company that SUPPORTS dual-booting instead of one that doesn't. That has double the effect of the price of your laptop: one company loses a sale, the other gains one.
While it is true for the general market, I think for Lenovo specifically the proportion of user buying at least Thinkpads because they're known good dev machines would push for a much higher proportion of Linux users.
Completely out of my hat but I would not be surprised if a good 20%/30% of Thinkpad users are Linux users.
The 3rd party UEFI CA key is implemented by the Shim, which is an attack vector. To be certified by default for the shim, the workflow is a github issue [0]. This is not necessarily bad, but a vector for social-engineering and more.
If an attacker is signed by the shim, he can execute trusted code on most machines without problems.
IMO it is better to leave this choice to the user to take this risk and enable the shim. Who installs linux should make this choice consciously
Booting via Shim will result in different PCR 7 values, which mean you can ensure that the OS won't boot if an attacker has subverted a signed version of Shim to execute Windows rather than the expected OS.
There's a meaningful distinction between "Linux doesn't support certain firmware functionality well" (as is still, sadly, the case for s0ix) and "Linux is literally unable to boot unless firmware configuration is modified", which is the case here
Lots of kerfuffle over nothing, and of course the most noise comes from the peculiar regulars, chanting about how Lenovo has to go away, or is not to be trusted etc.
The machine supports Linux. You may have to hop into the firmware settings first.
Its like they live in a bubble and have no idea that many developers choose Thinkpads not only because of build quality/keyboard but also because those work well with Linux.
Framework[0] is looking more and more attractive as my next machine.
Today, my daughter spilled orange juice on her Framework laptop. I was able to quickly disconnect the battery, unscrew everything and wipe all the juice. Laptop is working fine now, thanks to the Framework design.
A stark contrast with an HP laptop that died after the same daughter spilled sweet tea. There was no option for self-repair. It was possible to open the back lid and save the NVME, and that's pretty much it.
I once had a boss spill a banana smoothie/milkshake on a laptop, did much the same, stripped everything apart, washed everything off and left it to dry overnight before putting everything back together. (I remember not being too careful about it - after all, it was the boss's fault, and they can just get a new one if it's broken).
Surprisingly it all worked fine, apart from one thing... when attending meetings, they would turn the laptop ion at the start, and after about half an hour, someone would usually ask "Can anyone else smell banana?"
(I can't remember the model, but I think it was a small (like 10-12" or so) HP with an extremely slow, awful hard disk, maybe 1.8").
You are misattributing the blame and comparing sugar to oranges. Clearly, orange juice is a much more healthy drink, so spilling it results in less severe damage.
Yes, and even fresh-squeezed orange juice is pretty sugary, not to mention acidic. Maybe if it's super pulpy that could have something to do with slowing down liquid getting into crevices, but I doubt it.
It's a feasible hypothesis. But even if it was sweet tea again and some of the components died, I would have been able to replace them individually ([1]), instead of having to buy the whole new laptop.
Have had four generations of X-series Thinkpads as my daily drivers. Lenovo's build quality and customer service has deteriorated significantly over the years. Now have a 12th gen Framework on order.
I feel like Framework have an opportunity to capitalize on their momentum and build a ridiculously well built "Thinkpad-killer" machine and charge beyond premium for it and many devs would still pay up gladly. Just a hunch.
Nothing against the Framework (it'll likely be my next laptop) but there are plenty of other good Linux options as well now (in general, I don't think Thinkpads have been very good for a while since their battery and keyboards have gotten so much worse and they've switched to partially or fully soldered RAM on most models). There's the HP Dev One if you need a trackpoint, System76 and Star Labs with coreboot, Tuxedo or Slimbook for some really compellingly specced options (the Pulse 15 Gen2 and Slimbook Executive 14 both hit a lot of high-points for iGPU-only computing IMO).
My first laptop was a HP nx6230 - built like a tank with a fabulous keyboard. I really miss such machines. I checked out the Dev One. However, it doesn't seem to offer any configuration options and seems like a take-it-or-leave it pre-config (not sure if that is some location-specific thing).
There could be good reasons to switch from Thinkpad to Framework, but I think this 'issue' isn't one.
It's a setting that can easily be turned off in the BIOS UI. One could argue that this shouldn't be the default (and I would agree), but in practice this is a none issue.
The issue isn't that it can't be dealt with through BIOS; it is that this is not a particular Linux friendly stance to take. Also, if this makes Linux users worry about the things to come, say removal of this setting from BIOS, I don't think that is a completely unfounded fear.
To be fair I only recently switched from a T420 to a T480s and the build quality, especially the keyboard just feels a lot less great. Pretty sure they aren't MIL standard anymore either. Linux however still is no issue.
I bought one recently. First time in years I spent anything over 200 on a laptop (usually refurbish).
It's great in many ways but I just am very disappointed in the keyboard. It's really a lot less nice than the Thinkpad keyboards (even the new models). I wouldn't dream of buying Lenovo though.
I think they are great (I am using Pop!_OS currently). However, I think Framework jumped ahead of them with the modular port expansion cards and open design.
Considering Framework seem to be in tune with general developer sentiment, I'm hoping they spot the interest in AMD/Ryzen platform and expand their product line. Hopefully it is just a supply chain problem that is eventually solved.
While I share your optimism I doubt it’s just a supply chain issue. It’s entirely different board design, different thermal requirements, power draw, chipset, etc. Browse their community site for more context.. plenty of discussion on the topic.
No way, i thought laptop manufacturers were running a charity!
"...these anti consumer things." except AFAIK it's because of Thunderbolt and docking. Yes, USB 4 is a thing, but it has some differences.
I can confirm that on both Lenovo and Dell, you can boot and install Fedora and Ubuntu without issue, but Manjaro (Arch) requires disable secure boot first, and on Dell you need to also disable AHCI (Raid) inside windows first (if you intend to keep your windows partition) or just disable in bios.
Otherwise it all works on latest XPS and X1 Extreme.
"Note: The official installation image does not support Secure Boot (FS#53864). To successfully boot the installation medium you will need to disable Secure Boot."
If you're using Arch you're probably willing to set up SB with your own keys.
(Heck, I use my own keys on OpenSUSE even though my distro signs the kernel, because I want to use systemd-boot instead of mokutil since the latter is broken on my motherboard.)
Yes but then it's up to the device admin typically to enroll some additional keychain into the enclave. I only know 1 group using the "trust 3rd party" over "trust ours" because they don't want users sticking mint on the company Ubuntu machines.
This is about using Secure Boot, not disabling it. The author wants to boot third party software, signed by Microsoft, but Lenovo disabled this unless you go in the firmware settings: they only allow software from Microsoft, not signed by them for third parties. As said elsewhere in the thread, it has no real use, except maybe delaying an attacker by a few seconds (and then again, that attacker won't access any data, so…).
> hey only allow software from Microsoft, not signed by them for third parties.
Not the entire picture here, that option is a part of a more holistic set of measures Microsoft calls Device Guard (part of Secured Core)
> it has no real use, except maybe delaying an attacker by a few seconds (and then again, that attacker won't access any data, so…).
It does prevent potential abuse of the signed shim that's not very difficult to get signed by. E.g. nobody can install the signed shim to rootkit a Windows installation.
> It does prevent potential abuse of the signed shim that's not very difficult to get signed by. E.g. nobody can install the signed shim to rootkit a Windows installation.
How would that worked if combined with FDE + TPM ?
For the average user, FDE is unlikely to be enabled by default. But yes, Secure Boot's measurements with BitLocker would prevent this as well.
Though seeing a recovery screen will not inform you that your bootloader has been tampered with and by entering a recovery key you're basically authorizing the malware to run.
Without FDE, modification of the file system to create autoruns and system services is so easy that you wouldn't need to go through the effort of using a bootloader. Just pop out the storage device or boot a Windows install disk and run some software.
>As said elsewhere in the thread, it has no real use, except maybe delaying an attacker by a few seconds
Does this not assume that the bios is not password protected, old dell laptops you need to jump 2 pins on the motherboard to bypass password protected bios and reset it. Don't think this works on newer ones.
> Disabling UEFI Secure Boot has been step 1 for installing Linux for as long as UEFI had existed, hasn't it?
Do you also log in to a desktop shell as root? Use "hunter2" as your SSH password? Run every random thing you download from the Internet?
Almost every sensible distro has been supporting secure boot for ages, and on things like Ubuntu it should just work out of the box, without the user ever noticing unless they dug. This is what TFA is complaining about - Lenovo broke it.
There is a signed grub bootloader out there that can be exploited through a crafted configuration file to do basically anything. Trusting the third party certificate is essentially trusting anything, you may as well disable it.
This is part of the design problem of secure boot, it only works if everyone updates their trusted key sets and motherboard manufacturers aren't exactly known for their plentiful, easy to install, reliable updates.
Microsoft should obsiously add a setting to enable normal secure boot ("Windows only", "allow Linux", "off") but it's not as if secure boot is much of a safety system for your average Linux user. You can configure a whole secure boot chain in Linux but enforcing that requires a lot of work that's not easily accessible. You'll also need to ensure you hook into the right update functions so your nvidia/AMD proprietary drivers are signed correctly or you won't be able to boot with a working display.
Well Secure Boot is very far from perfect. Personally I think a TOFU scheme (preloaded with OEM's own signature) would do 99% of the job, while keeping it less painful for the "I just want to install Ubuntu/Arch/GrumpyLinux" crowd. The machine's boot menu should just prompt the user to trust a vendor's key (e.g. not-now/never/once/forever), before booting it for the first time.
My reaction is because through all the unnecessarily complicated security measures (like SELinux, UAC, Secure Boot, etc) we've taught people to run to google for "Disable Secure $WHATEVER", which is a good indicator that the technology has failed to actually secure anything.
The best security is invisible. OpenBSD gets it. There are no "how to disable pledge" blog posts, because 1. pledge(2)[0] can't be easily disabled (you'd probably need to make a custom patch for the kernel to make the syscall a no-op); 2. there is no user-visible difference to doing do, because as long as the program is doing what it's expected to do, pledge is 100% invisible. This is how e.g. Secure Boot should have worked from day one, for everyone.
I know I'm kinda contradicting my earlier post here, but there's no reason to disable Secure Boot in 2022 any more, even if it failed to provide the security guarantees it promised.
Complaining about something that takes 30min to read up on.
Unless there was so much FUD out there about security and signing this would just be a minor hurdle to learning how to do security properly.
Yes mom&pop will never do it. But frankly. MOM&POP NEVER USED AN UBUNTU DISK TO INSTALL A CUSTOM DISTRO. They just used the laptop as provided by a trusted 3rd party. That will never change.
Hit Enter or F1 at the red Lenovo boot screen, go into the BIOS settings and find the setting and change it.
Until someone confirms that there is no such BIOS setting, there is no story here.