Bonum Certa Men Certa

Today in UEFI 'Secure' Boot Debates (the Frog is Already Boiling and Melting)

posted by Roy Schestowitz on May 28, 2024

Over at LQ today:

Quote:
Originally Posted by TheJooomes /div>
That's the meaning I extracted from "no BIOS", "third party UEFI certificates have been disabled", and "The era of general purpose computing is drawing to a close". I haven't heard of cases that extreme before so I want more than a claim in a forum thread.
No problem. Here are two links, the first one via an archive in case m$ changes it:

"Secure the Windows boot process":

https://archive.is/q69Mx/again?url=h...0-boot-process

and "Using your own keys"
https://wiki.archlinux.org/title/Uni..._your_own_keys

Though the first one has a lot of weasel-wording it still makes the point. Notice that you have to actually parse the document:

Quote:
Configure UEFI to trust your custom bootloader. All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
The word "default" is not used specifically, yet the default is exactly what is being described.

Also, the gotcha there is certified. Those which are not certified and those which are certified but not in compliance are not going to permit that. Talk with people who deal with resale of used systems and you will get plenty of first hand anecdotes, there are certainly such shops or individuals in your geographical area.

If you have not gone out of your way to follow trends in ICT lately then it would not be strange that you have not heard of third party certificates being disabled by default. Again, there was a lot of discussion and detailed analysis before UEFI was even rolled out. All that is buried somewhere in the search engines, assuming the pages are even still up.

Edit: See also:
Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party
Certificate to be disabled by default. This means that for any of these Lenovo
platforms shipped with Windows preinstalled an extra step is needed to allow Linux to
boot with secure boot enabled.

UEFI + Secureboot was always just a lot of "security theatre" marketing for the gullible. For proprietary OS vendors, security is a feature which can be sold for profit. The aim was always to lock out alternative OS such as Linux. UEFI itself was dreamed up by a consortium of the x86 hardware/bios vendors, MS and Apple.

Those who still believe that Secureboot is really about security and preventing "evil maid" attacks need to pull their heads out of the sand. Business often invents the problem, then sells the solution and this was very similar, but not quite the same. It also came packaged with MS' anti-competitive, hostile agenda to destroy Linux - all dreamed up during the Steve "Linux is a cancer" Ballmer era.

It astounds me that users of FOSS operating systems who post on sites like this one, happily walked down that path, eagerly supporting sell outs like Canonical and Red Hat and are still parroting the marketing speak about Secureboot, many years later. Many of these people were running Linux on hardware which was not configured for dual booting Windows 8.0/8.1, yet still they took great pride in running a UEFI only system, disabling legacy boot, jumping through hoops to configure their OS to boot by this horrible convoluted broken and ironically, insecure MS design, which even uses the antiquated MS FAT file system.

MS wants to ensure that only a Microsoft OS can boot from the bare metal, it has been paving the way for this for years. For Linux it has invested in WSL/WSL2 and it has lured people across with the convenience of that.

The TPM/TPM2 is a further assault on your freedom to install what you want to install on the hardware you paid for. It is one of the latest advances in "Trusted Computing", which is anything but trustworthy...

https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Quote:
There are some gotchas too. For example, TC can support remote censorship. In its simplest form, applications may be designed to delete pirated music under remote control. For example, if a protected song is extracted from a hacked TC platform and made available on the web as an MP3 file, then TC-compliant media player software may detect it using a watermark, report it, and be instructed remotely to delete it (as well as all other material that came through that platform). This business model, called traitor tracing, has been researched extensively by Microsoft (and others). In general, digital objects created using TC systems remain under the control of their creators, rather than under the control of the person who owns the machine on which they happen to be stored (as at present). So someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses. Given such possibilities, we can expect TC to be used to suppress everything from pornography to writings that criticise political leaders.
Quote:
The gotcha for businesses is that your software suppliers can make it much harder for you to switch to their competitors' products. At a simple level, Word could encrypt all your documents using keys that only Microsoft products have access to; this would mean that you could only read them using Microsoft products, not with any competing word processor. Such blatant lock-in might be prohibited by the competition authorities, but there are subtler lock-in strategies that are much harder to regulate.
Quote:
12. Scary stuff. But can't you just turn it off?

Sure - unless your system administrator configures your machine in such a way that TC is mandatory, you can always turn it off. You can then run your PC as before, and use insecure applications.

There is one small problem, though. If you turn TC off, Fritz won't hand out the keys you need to decrypt your files and run your bank account. Your TC-enabled apps won't work as well, or maybe at all. It will be like switching from Windows to Linux nowadays; you may have more freedom, but end up having less choice. If the TC apps are more attractive to most people, or are more profitable to the app vendors, you may end up simply having to use them - just as many people have to use Microsoft Word because all their friends and colleagues send them documents in Microsoft Word. By 2008, you may find that the costs of turning TC off are simply intolerable.
In the world of "Big Tech", the words "trust", "security" and "privacy" don't mean what you think they mean.

Other Recent Techrights' Posts

Sonny Piers Finally Spills the Beans on GNOME Cover-up, Points Finger at Robert McQueen, Misusing "Defamation" to Silence Critics of Wrongdoing
Robert McQueen, who is extremely connected to Garrett (they share digital nests)
Techrights Was Months Ahead of "XBox" News (Mass Layoffs)
Next: end of XBox as a console
More Commentary on June 2026 IBM Layoffs and Why They Happen
It sounds a lot like what happened to the EPO
The Cyber Show: Remember That Code is Art
The article is very long, very profound, and speaks of "the next installation"
Only Days After Mass Layoffs in Microsoft's Azure There Are Headlines About Much-Expected XBox Layoffs
XBox as a console is basically dead or "fast-dying"
 
SLAPP Censorship - Part 104 Out of 200: Exactly Two Years Ago Brett Wilson LLP Humiliated or Weaponised Our Solicitor's Judaism in an Effort to Censor and Gag Us
dated 12/06/24
Half a Year Since Slopwatch Died
To Google's credit, it did manage to delist a lot of slopfarms in recent months
Links 12/06/2026: Science, Windows TCO, and More
Links for the day
"AI" 46 Times in One 'Article' Because The Register MS Got Paid to Push it
Today is just another opportunity to remind people that the slop bubble and GPU bubble are based on inauthentic fake 'journalism'
Gemini Links 12/06/2026: FTP and Gopher, Cluster Outage Postmortem After Cleaning by Wife
Links for the day
European Patent Office (EPO) Series: Transcending Partisan Rivalry in the National Interest
Up until now, Campinos has generally been regarded as a Portuguese "asset" on the international stage
Gratitude to Whistleblowers or Sources of Techrights
Whistleblowers are what makes journalism work
Links 12/06/2026: "NearlyFreeSpeech" No More, Openwashing by Google (DiffusionGemma)
Links for the day
Today There's a Massive EPO Strike (Like Every Friday), Workers Explain Further Cuts Despite the EPO Making More Income by Granting Illegal Patents (or Invalid Patents Illegally)
"Recent exchange with the Administration on the implications of the SAP on the Education and Childcare Allowance"
Communicating With Freedom - Part IV - Quibble Now in quibble.chat, Open for Contributions Via Codeberg
Today we continue the series about Quibble
European Patent Office (EPO) Series: The Importance of Having "Pals from the Palacete"
for his reappointment bid to succeed, Campinos will need to be able to rely on the support of both the Portuguese Prime Minister, Luís Montenegro, and the President of the European Council, António Costa
Cyber Show on How Updates or Upgrades Break Workflows, Even in Free Software
"We did a big upgrade on the AV production pipeline"
Discussions About IBM Layoffs in June, Including by RTO and PIPs
mass layoffs are becoming increasingly difficult to conceal
Gemini Links 12/06/2026: Decks and Work Essay
Links for the day
"Rolling Strikes" Continue at the European Patent Office, the Administrative Council Needs to Take Action Against Crooked Office Management
This coming weekend we'll talk about some of the other issues and concerns expressed by the union
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, June 11, 2026
IRC logs for Thursday, June 11, 2026
Links 11/06/2026: Disputes Over Copyright Infringement, Failure to Meet Climate Goals, "ChatGPT Caught Recommending “Products” That Are Just Scams"
Links for the day
Gemini Links 11/06/2026: Programmable Systems and Slop "is Coming for Your Serifs"
Links for the day
SLAPP Censorship - Part 103 Out of 200: Telling People What They Know and Don't Know About Death Threats They Receive
patronising letters sent on behalf of the Serial Strangler from Microsoft
IBM Genies in the Bottle
for ordinary people working who at at IBM, it's not hard to see that IBM is floundering
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 10, 2026
IRC logs for Wednesday, June 10, 2026
Links 11/06/2026: LF Openwashing of Slop and "Azerbaijan Bans TikTok and Other Social Media Apps in School"
Links for the day
European Patent Office (EPO) Series: The Centre (in Portugal) Falls Apart…
Luís Montenegro became embroiled in a conflict-of-interest controversy
IBM Lost About 18% of Its "Market Value" This Month
In IBM's case, a lot of the latest "pump" was Arvind's "quantum" hype/fantasy
Gemini Links 10/06/2026: Signal to Noise, Cancer, and Permacomputing
Links for the day
Links 10/06/2026: More Microsoft Layoffs, Sweden to "Ban Mobile Phones in Schools"
Links for the day
Communities and "Prosumers."
today's meetup will be about community
Gemini and Gopher Links 10/06/2026: Roasting, Changes, and Harms of Slop
Links for the day
Microsoft Azure Shrinking With More Mass Layoffs
"Reports suggest the layoffs will impact close to 200 out of 400 workers, who are set to cease employment at Azure on July 6"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 09, 2026
IRC logs for Tuesday, June 09, 2026