Jump to content

  • Log In with Google      Sign In   
  • Create Account


#Actualsamoth

Posted 25 March 2013 - 11:45 AM

What worries me more than the missing start button or ugly UI is the DRM-BIOS that gets pushed onto people. If you buy a computer it should be your choice whats running on it and not of some company holding the key.

 

All secure boot does is require a signed binary to boot. There is nothing preventing you from providing your own certificate for whatever binaries you want, or to disable secure boot from bios entirely. This is just more FUD around Microsoft restricting your choices.

 

Except that is not true at all. To begin with, "safe boot" cannot be disabled on the ARM architecture at all according to "Windows Hardware Certification Requirements", unless the motherboard doesn't plan to certify as Windows compatible (very unlikely).

"ARM" includes not only 90% of all mobiles, but also future server/desktops that you maybe want to build when AMD's ARMv8 processors come out next year.

 

Also, the way how UEFI works is different. Refer to chapter 27 of the specification, which is not FUD around Microsoft, but reality.

 

Initially, the computer is in what the specification calls "setup mode", that is, there is no key installed. When the Windows 8 installer secretly, and without user consent, installs its certificate, the computer switches to "user mode".

Installation of another key in "user mode" is exclusively possible if that key has been signed by the installed key. Also, an installed key can only be removed by installing a zero key that must be signed by the installed key.

 

We are talking about a key signed by a key owned by Microsoft, not some arbitrary key from Verisign. An implementation that adheres to the UEFI standard and that is not "broken" is not allowed to do something else. Which means no more and no less than the concerns are very valid.


#1samoth

Posted 25 March 2013 - 11:45 AM

What worries me more than the missing start button or ugly UI is the DRM-BIOS that gets pushed onto people. If you buy a computer it should be your choice whats running on it and not of some company holding the key.

 

All secure boot does is require a signed binary to boot. There is nothing preventing you from providing your own certificate for whatever binaries you want, or to disable secure boot from bios entirely. This is just more FUD around Microsoft restricting your choices.

 

Except that is not true at all. To begin with, "safe boot" cannot be disabled on the ARM architecture at all according to "Windows Hardware Certification Requirements", unless the motherboard doesn't plan to certify as Windows compatible (very unlikely).

"ARM" includes not only 90% of all mobiles, but also a future server/desktops that you maybe want to build when AMD's ARMv8 processors come out next year.

 

Also, the way how UEFI works is different. Refer to chapter 27 of the specification, which is not FUD around Microsoft, but reality.

 

Initially, the computer is in what the specification calls "setup mode", that is, there is no key installed. When the Windows 8 installer secretly, and without user consent, installs its certificate, the computer switches to "user mode".

Installation of another key in "user mode" is exclusively possible if that key has been signed by the installed key. Also, an installed key can only be removed by installing a zero key that must be signed by the installed key.

 

We are talking about a key signed by a key owned by Microsoft, not some arbitrary key from Verisign. An implementation that adheres to the UEFI standard and that is not "broken" is not allowed to do something else. Which means no more and no less than the concerns are very valid.


PARTNERS